The IaaS market is booming and three players dominate the market: Microsoft, Amazon, and Google. While Amazon Web Services (AWS) has the largest market share, Azure is poised to catch up to AWS and currently enjoys the highest growth rate, almost double the growth rate of AWS. According to the 2018 State of the Cloud Report by RightScale, Azure increased adoption from 43% to 58%.
Azure Security Challenges
As Azure adoption increases, so does the security risks that come with cloud usage. However, enterprises can’t afford to have their Azure environment or the applications running on Azure compromised. 72.2% of enterprises have business critical applications-defined as an application that, if it experienced downtime, would greatly impact the organization’s ability to operate.
And while Microsoft has built a robust set of native security capabilities for Azure, ultimately, cloud security’s shared responsibility model requires the customer to be responsible for a significant portion of Azure security. This isn’t an easy task however, as evidenced by Gartner’s observation that through 2020, 95% of security incidents in the cloud will be the fault of the customer.
Shared Responsibility Model for Azure at a Glance
Like most cloud providers, Azure operates under a shared responsibility model. Azure takes responsibility for the security of its infrastructure and has made platform security a priority in order to protect customers’ critical information and applications. Azure detects fraud and abuse and responds to incidents by notifying customers. However, the customer is responsible for ensuring their Azure environment is configured securely, data is not shared with someone it shouldn’t be shared with inside or outside the company, identifying when a user misuses Azure, and enforcing compliance and governance policies.
Compliance Obligation, Data Classification & Accountability
While certain SaaS solutions such as Office 365 or Box provide some level of data classification and data loss prevention capabilities natively, when it comes to IaaS services like Azure, the responsibility for identifying and protecting sensitive data to meet compliance requirements is wholly owned by the customer.
Client & End-Point Protection
End-points connecting to IaaS platforms must be protected by the customer. While Microsoft offers Intune to manage devices, it’s still the responsibility of the customer to properly configure them and protect data moving between Azure and the end-point.
Identity & Access Management
Azure, through Azure AD, provides a robust platform to manage users and identities. However, it’s up to the customer to ensure that identity and access management is properly set up. Things like enabling multi-factor authentication, preventing unauthorized access, and implementing role-based access controls all fall within the customer’s responsibility.
Application Level Control
Managed applications (PaaS) such as web services, IoT, etc. take some of the security responsibility off the shoulders of the customer, but these services still need to be properly configured by the customer. When it comes to the operating system and application layers within a Virtual Machine, the customer is responsible for its protecting and security.
Unlike the SaaS security model where the cloud service provider is wholly responsible for network security, the customer shares the responsibility of network security with Microsoft when using Azure’s network services such as virtual networks, load balancing, etc. For example, the customer is responsible for security configuration and management of network security groups and gateways.
Host infrastructure relates to compute services like virtual hosts, containers, etc or storage services such as object storage or file storage. Microsoft shares the security responsibility for Host infrastructure with Azure customers.
While Microsoft is responsible for security of the operating system of the host services, for example, properly configuring the service is the customer’s responsibility.
One of the primary benefits of cloud is that customers don’t have to manage the physical element of their information technology infrastructure. As such, the physical security of the cloud infrastructure is a responsibility wholly owned by the cloud service provider. This includes physical access security, disaster recovery, and availability,
To learn more about Azure security’s shared responsibility model, click here.