Extending Azure security capabilities
As more organizations are delivering innovation faster by moving their businesses to the cloud, increased security is critically important for every industry. Azure has built-in security controls across data, applications, compute, networking, identity, threat protection, and security management so you can customize protection and integrate partner solutions.
We keep investing in security and we are excited to share exciting updates this week at Hannover Messe 2019. We are excited to announce that Dedicated Hardware Security Module Service (HMS) in UK, Canada, and Australia, Azure disk encryption support for Virtual Machine Scale Sets (VMSS) are generally available. Also Advanced Threat Protection for Azure Storage, the Regulatory Compliance Dashboard, and support for virtual machine sets are now generally available as part of Azure Security Center.
Advanced Threat Protection for Azure Storage is now generally available
Advanced Threat Protection for Azure Storage helps customers detect and respond to potential threats on their storage account as they occur. This layer of protection allows you to protect and address concerns without needing to be an expert in security. Enabling it is quick and simple. Once enabled, security alerts are triggered when suspicious activity occurs and you can view them listed in Azure Security Center. Security alerts provide details of suspicious activity that was detected and recommended actions to take to investigate and mitigate the potential threat.
The benefits of Advanced Threat Protection for Azure Storage includes:
- Detection of anomalous access and data exfiltration activities.
- Email alerts with actionable investigation and remediation steps.
- Centralized views of alerts for the entire Azure tenant using Azure Security Center.
- Easy enablement for many storage accounts using the Azure portal, Azure Policy, or Standard Azure APIs.
To learn more, refer to the documentation, “Advanced Threat Protection for Azure Storage,” or the Azure Security Center pricing page.
Regulatory compliance dashboard in Azure Security Center is generally available
We are pleased to announce that the regulatory compliance dashboard in Azure Security Center is now generally available! The dashboard helps Security Center customers streamline their compliance process by providing insight into their compliance posture for a set of supported standards and regulations.
The compliance dashboard surfaces security assessments and recommendations as they align to specific compliance requirements based on continuous assessments of your Azure and hybrid environments. The dashboard also provides actionable information for how to act on recommendations and reduce risk factors in your environment, and thus improve your overall compliance posture.
The information provided by the regulatory compliance dashboard can be very useful for providing evidence to internal and external auditors on your compliance status with the supported standards. To further facilitate this, you can now generate and download a compliance report directly from the compliance dashboard. The report can be generated for a particular supported compliance standard and depicts a high-level summary of your current compliance status with respect to that standard. In addition, you can now automate compliance processes and manage them at scale using programmatic APIs.
To learn more about regulatory compliance in Azure Security Center, visit the documentation, “Tutorial: Improve your regulatory compliance.”
Azure Security Center now supports Virtual Machine Scale Sets
Security Center can now protect your Virtual Machine Scale Sets. You can easily monitor the security posture of your VM Scale Sets with security recommendations to increase overall security, reduce vulnerabilities, and detect threats with Security Center’s advanced threat detection capabilities.
Security Center automatically discovers your VM Scales Sets and recommends that you install the monitoring agent to get better security assessments and enable events-based threat detection.
For every VM scale set instance, you can benefit from a list of recommendations such as:
- Install the monitoring agent
- Remediate vulnerabilities in security configuration
- Remediate endpoint protection health failures
- Install endpoint protection solution on virtual machine scale sets
- Install system updates
- Enable diagnostics logs in Virtual Machine Scale Sets’
Threat detection alerts are also available for VM scale sets instances for any VM protected by Security Center standard tier. To learn more on VM Scale Set support.
Note: Pricing of VM scale sets instances is the same as VM. For detailed information visit our pricing page.
Announcing Azure Dedicated HSM service availability in UK, Canada, and Australia regions
The Azure Dedicated Hardware Security Module (HSM) service provides cryptographic key storage in Azure and meets the most stringent customer security and compliance requirements. This service is the ideal solution for customers requiring FIPS 140-2 Level 3 validated devices and complete, exclusive control of the HSM appliance. The Dedicated HSM service uses SafeNet Luna Network HSM 7 devices from Gemalto. This device offers the highest levels of performance and cryptographic integration options and makes it simple for you to migrate HSM-protected applications to Azure. The Azure Dedicated HSM is leased on a single-tenant basis.
The Azure Dedicated HSM service was originally announced in 8 Azure public regions on November 28, 2018 and we are now pleased to announce that the service is expanded to the UK, Canada, and Australia. With this new announcement, the Dedicated HSM service is now available in 14 regions namely, East US, West US, South Central US, East US 2, Southeast Asia, East Asia, West Europe, North Europe, UK South, UK West, Canada Central, Canada East, Australia East, and Australia Southwest regions. We plan to continue expanding this service to other Azure regions.
- To learn about the Dedicated HSM service availability announcement, please refer to blog post, “Announcing Azure Dedicated HSM availability.”
- To learn more about the Azure Dedicated HSM service, please refer to the service documentation.
- To learn about pricing and suitability of this service for your applications, please contact your Microsoft Account representative.
Announcing Azure Disk Encryption general availability for Virtual Machine Scale Sets
Today, we are excited to announce the general availability of Azure Disk Encryption (ADE) for Virtual Machine Scale Sets (VMSS). With this announcement, Azure disk encryption can be enabled for Windows and Linux Virtual Machine Scale Sets in Azure public regions. This enables customers to help protect and safeguard the Virtual Machine Scale Sets data at rest using industry standard encryption technology.
Azure Disk Encryption is a capability that helps you encrypt your Windows and Linux IaaS Virtual Machine Scale Sets disks. Disk Encryption leverages the industry standard BitLocker feature of Windows and the DM-Crypt feature of Linux to provide volume encryption of disks. The solution is integrated with Azure Key Vault to help you control and manage the disk-encryption keys and secrets. The solution also ensures that all data on the VM disks are encrypted at rest in your Azure Storage.
The solution is deployed in all Azure public regions. Additional details on supported and unsupported scenarios, interfaces, and how you can use the disk encryption technology to encrypt your Virtual Machine Scale Sets and validate your scenarios is documented below.
- Virtual Machine Scale Sets encryption is supported only for scale sets created with managed disks, and not supported for native (or unmanaged) disk scale sets.
- Virtual Machine Scale Sets encryption is supported for OS and Data volumes for Windows Virtual Machine Scale Sets.
- Disable encryption is supported for OS and data volumes for Windows Virtual Machine Scale Sets.
- Virtual Machine Scale Sets encryption is supported for data volume for Linux Virtual Machine Scale Sets. Disable encryption is supported for data volumes for Linux Virtual Machine Scale Sets.
- Virtual Machine Scale Sets reimage and upgrade operations are supported.
- The key vault to safeguard the encryption must be provisioned with the right access policies in the same subscription and same region as the Virtual Machine Scale Sets.
- Virtual Machine Scale Sets encryption is not supported for scale sets created with native (or unmanaged) disk.
- Virtual Machine Scale Sets encryption is not supported for OS volume for Linux Virtual Machine Scale Sets encryption.
For additional details on Azure Disk Encryption support for Virtual Machine Scale Sets, refer to the below ADE documentation:
- Azure Disk encryption pre-requisites
- Windows Virtual Machine Scale Sets encryption
- Linux Virtual Machine Scale Sets encryption
Our continued investments in Azure security can help you reduce costs and complexity with a highly secure cloud foundation managed by Microsoft. Use multi-layered, built-in security controls, and unique threat intelligence from Azure to help identify and protect against rapidly evolving threats. To learn more about Azure Security please visit Azure Security homepage. To try Azure Security Center’s new capabilities, please visit the Azure Security Center homepage. As always, for any feedback or additional information contact our team at SecurityCenter@microsoft.com.
Learn how Microsoft partners are building a sustainable future at Hannover Messe 2019.
This blog post was co-authored by Ron Matchoro, Principal Program Manager, Ronit Reger, Senior Program Manager, Miri Landau, Senior Program Manager, and Devendra Tiwari, Principal PM Manager, Azure Security Center.