Microsoft Releases Windows Azure Security Resources

Microsoft provided more information about security for Windows Azure, publishing a talk and white paper.

The latest discussion comes from a recorded chat by Charlie Kaufman, Microsoft security architect for Windows Azure, which was published by Microsoft today. Kaufman described the broad concepts that enable security for Windows Azure customers, although he conceded at one point that Windows Azure security is "secure enough for some applications and not secure enough for others."

Essentially, Windows Azure customers (or tenants) access virtual machines (VMs) that tap into Windows Azure's pooled resources in the Internet cloud. Access to the service is tied to the user's account and the account is established through a subscription portal. Customers gain access to the service through a Windows Live ID. Kaufman said that the "crypto behind Live ID is good."

Windows Azure has three basic components: compute, storage and SQL Azure (which is another form of storage, Kaufman said). All three components run on separate hardware and communication is established via HTTP or SSL requests. A single key controls everything that can be done with storage. Although all of the data on Windows Azure is stored in a single pool, access is only enabled via a secret key for each account, Kaufman explained.

Windows Azure uses a different kind of file system as part of its multitenant architecture. Existing apps need to be modified to use different types of storage, principally blob storage, Kaufman said. The C:, D: and E: drives that users see actually are virtual hard disks in the root operating system. Inputs and outputs go to the root OS and it makes sure that customers can only talk to their own disks. A network packet filter protects users from attacks from the outside, he added.

A few attacks are possible in Windows Azure. The customer administration interface could be used to launch attacks. However, Microsoft typically keeps watch by checking for any malformed requests.

A Windows Azure tenant could try to attack other tenants. However, Microsoft has architected Windows Azure so that the VMs of customers can't talk with the VMs of other customers. Such attacks would have to try to find a flaw in the hypervisor or in the drivers, Kaufman said.

An end user of Windows Azure could try an attack. In such cases, customers have all of the facilities of Windows to protect the VM against such attacks.

Customers have some security controls. They can determine how many role instances are needed. Each role instance creates a new C:, D: and E: drive structure and only one IP address is applied to a role instance. Customers can determine the size of each VM that runs application software. Customers also specify what certificates, passwords and secret keys each VM can use.

If that isn't enough information about how Windows Azure enables security, Kaufman coauthored a white paper, "Windows Azure Security Overview," released this month, that goes into greater detail. The white paper is written for developers and "technical decision makers."

Last month, Microsoft also released "Security Best Practices for Developing Windows Azure Applications." It describes Microsoft's Security Development Lifecycle, a process used internally by Microsoft to create its software products. It also describes specific Microsoft identity technologies used for Windows Azure security, including Active Directory Federation Services 2.0, the Azure App Fabric Access Control Service and Windows Identity Foundation.

About the Author

Kurt Mackie is online news editor, Enterprise Group, at 1105 Media Inc.

comments powered by Disqus

Reader Comments:

Sun, Oct 17, 2010

Microsoft has sunk to a new low . . . using “trial traps” . . . yes one must contact customer support to cancel a trial. There’s plenty of opportunity to sign up for more services but they make it very hard to cancel. I called Microsoft support . . . all the options for Azure support were available EXCEPT the one to cancel . . . it says they are CLOSED! I’m just going to tell my credit card company to charge back all Microsoft fees and move on to open source . . . there’s plenty of free software out there that works suffciently well given the cost. Azure is lack luster to say the least and high priced given the limited services. BTW: I was a devoted Microsoft customer for 15 years . . . I’m also a MCSE . . . but I’m giving up on Microsoft because they really are indifferent, at best, to the impact they have on customers.

Add Your Comment:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above