Join David Elfassy for an in-depth discussion in this video, The importance of securing the cloud, part of Microsoft Azure: Security Concepts.
- [Instructor] In this video we will discuss the importance of securing the Cloud, specifically focusing on Microsoft Azure. So we will review the various primary solutions of Microsoft Azure. The way that they should be secured, and we'll try to discuss some of the myths that are related around security for a Cloud, whether that be a Private Cloud or a Public Cloud, and how those affect Microsoft Azure. As well, we'll talk about some recommendations for securing the Cloud at the high level. So let's first review the primary solutions.
We have three types of hosting solutions, infrastructure solutions, for Microsoft Azure. The first is infrastructure as a service. The second, platform as a service and software as a service. Now, there are sub-sections to those types of solutions in a cloud-based service. However, those are the primary buckets that we will review as part of this course. So infrastructure as a service is where the cloud provider provides the physical infrastructure for your hosting solution. For example, you have all of the data centers and all of the servers, and all of the memory, and the storage.
All of that infrastructure is provided for you and is rented to you as a service. A platform as a service is where there's some limited deployment that is already there, the underlying platform. So for example, Windows or a database solution that's already been implemented as a platform, and then you will be renting services as part of that platform. So it builds on top of the infrastructure where you have the infrastructure, plus the platform, that are provided to you as a service. The third bucket is software as a service.
Now, software as a service is where the infrastructure and the platform are already there, but the software is already deployed on top of that platform. For example, an email solution. Exchange Online is sold or rented as a service. That software is part of Microsoft Azure, and it's marketed as Office 365. So those are the three primary solutions in Microsoft Azure, but they also apply to other cloud providers. If you're looking at Amazon solutions, you'll find similar types of solutions for the cloud provider.
Now, the solution type defines the type of security that we need to implement, and the reason why I mentioned that is because you have different types of solutions that are provided to you, and they have different types of interaction with your data and your resources. Therefore, the way that you need to secure that data and those resources is different based on the type of solution that you use by a cloud provider. So if you have an infrastructure as a service, the security requirements are almost identical to what you're currently doing on premises.
Its part of your cloud solution is the actual underlying infrastructure: all of the software, all of the platforms, all of the operating systems, and everything that you deploy on top of that infrastructure must be secured the same way that you're currently securing your resources on premises. The same way that you're securing your on-premises solutions, you will have to secure your infrastructure as a service solutions based on the similarity of the deployment. Now, if we go a little bit further and look at the platform as a service solution, the security requirements are mostly defined in the configuration and the deployment of what's going to sit on top of that platform.
So if you have a storage solution or if you have a document management solution that is going to reside within the platform that is provided by the cloud provider, all of the security settings that you're going to have to manage are gonna be the security settings for that specific software, for that specific tool that you're deploying into the platform. So it will be very specific to that application, and the deployment that you will use for that application is going to have some security requirements around it as well, and you will define all of those as part of your deployment solution.
If we go into a software as a service solution, then our security requirements are generally restricted to the way users behave and the available configurations in the UI, in the User Interface, of Microsoft Azure. So if you've got, for example, an application or a specific service that is deployed as part of software as a service such as Exchange Online where you're provided with a set of user settings and a set of configurations. The way that you manage those configurations and the way that you manage those settings are gonna define your security for that software.
So that may be the frequency of a password that needs to be reset, or that may be the way that the emails are going to be retained or encrypted in to that software as a service solution. So as we build on to the amount of services and solutions that we use as part of our cloud provider, for example Azure, then the responsibility or the onus of security is taken away from the administrator and is being implemented and provided by the cloud provider. Now, there are various scale that defines well how much of the responsibility is going to be yours as an administrator of an Azure platform, or is going to be provided by the cloud provider, such as Microsoft.
So I really like this diagram, because it provides a good representation of what it is that you are or are not responsible for. And if you see the least amount of responsibility, so those buckets that are defined in blue, are in a software as a service solution. So everything that's related to your client, to your account management, your user passwords for example, and how much you want to retain your data, all of those settings are your responsibility. Everything else that is related to the platform and the infrastructure are going to be the responsibility of the cloud provider, Microsoft in this case.
So all of those gray boxes, as you see, reduce. Therefore Microsoft's responsibility is reduced as you go down the scale to infrastructure as as service. If you're on-premises, of course, Microsoft is not responsible for any of it, and you're responsible for the entire deployment. If you wanna completely or reduce as much as possible your security onus and the responsibility of security configurations, then software as a service is likely to be the best solution for you. An important point to note is that you will always own your data.
Everything that's your resources and your data is always going to be the ownership of the client, the company, yourself, as part of the solution. So it's very important to understand when your security skills are required, and where within the solution you will be required to manage a specific type of security setting. And again, the type of solution that you choose with your cloud provider is going to define the amount of security requirements that are on you. So some great security principles to live by when looking at a cloud solution, and also true if you have an on-premises deployment of Windows or any type of infrastructure solution.
The key is always to achieve that balance between security and accessibility. Now, here are some great security principles to live by. I always tell my clients that the key is to achieve that magical balance between security and accessibility. A network that is truly secure is a network that is completely detached from all network access, detached from the Internet, and physically disconnected from any outside attacks. However, that network or that resource is really not accessible. Now, a resource that is truly accessible and easily accessible may not be the most secure.
So there's truly a balance between the two that we need to find is, having providing access to the data and to the resources while still maintaining them secure, but not putting too many hurdles that the accessibility is going to be hampered, so that is really a fine art almost in achieving that right solution. Another very important security principle is to always look for your weakest link. Now, there is a weak link in every deployment. Every deployment that I've encountered has actually usually had many weak links.
Now, to identify your weakest link is usually going to be your greatest security threat, because if there is going to be an attack on your infrastructure, the weakest link is going to be exposed, likely, first. Now, there's some myths that I really wish you would ignore, and I hope through this course you will learn to ignore them. One of those is that the Cloud is secure by design. Hopefully if you're listening to this course, it means that you've already realized that a Cloud is not really secured by design. There is a certain amount of responsibility that will be on you to secure part of your solution.
The cloud is unsecure by design, and that's a little bit of the flip-side of it where various administrators may think that there's nothing secure about the Cloud because it's public, it's out there, it's connected to the Internet. Now, there are some security settings that are built in, and as I will demonstrate, it's really defined on the amount of settings that you choose to use as part of the initial deployment of Microsoft Azure or your cloud provider. Now, someone else's platform means it's someone else's problems. Well, actually you are using the infrastructure and you are providing your data into this infrastructure.
Therefore, it becomes your problem. Now, it's important for you to understand the amount of security that is going to be provided by your cloud provider, and it's also important for you to understand how much of it is your problem; how much of it is your responsibility, and these are the things that we will review as we demonstrate the various security tools as part of Microsoft Azure.
- Securing objects and virtual machines
- Deploying certificates for Azure resources
- Implementing multi-factor authentication
- Securing Office 365
- Securing Azure Active Directory