Making security a priority when
moving applications and data to the
cloud
IT Showcase Technical Case Study
Situation
Microsoft is committed to migrating line of
business (LOB) applications to Microsoft
Azure and moving email and collaboration
applications to Office 365. To complete the
move, Microsoft IT was engaged to analyze
security and privacy requirements,
implement the necessary controls and
procedures, and then migrate the
applications.
This technical case study focuses on the
security challenges that Microsoft IT faced
and how they approached security, privacy,
geopolitical, and data sovereignty concerns.
Most IT departments moving applications
and data to the cloud will face these
challenges.
Solution
Microsoft IT reconsidered what it meant to
provide security capabilities in the cloud.
They realized that moving to the cloud was
a paradigm shift from a datacenter security
mindset. The team developed new
strategies to monitor networks for intrusion
and leveraged new cloud security
capabilities including analytics.
Benefits
 Protection of sensitive information
 Active protection of the supply chain
 Improved intrusion detection and
response
 Effective use of data analytics
 Better understanding of user behavior
 Device and endpoint integrity
 Protection of customer data
Products and technologies
 Microsoft Azure
 Microsoft Visual Studio
 Office 365
Published August 2015
Microsoft IT was tasked with moving approximately 2,100 line of
business applications to Microsoft Azure, including applications
that support human resources, finance, and support functions.
They realized that security in the cloud is significantly different
than security in an on-premises datacenter. The shift from
“protect and prevent” to “detect and respond” required a
change in corporate culture as well as technology.
Situation
Microsoft is using the Microsoft Azure cloud platform to run its business. The cloud
offers many advantages compared to traditional on-premises application hosting,
including reduced costs, rapid application deployment, advanced configuration
options, and a suite of management and monitoring tools.
Azure is a cloud platform that provides a collection of integrated services, including
application hosting, storage, data processing, and networking.
Microsoft Azure offers the following delivery models:

Infrastructure as a Service (IaaS). IaaS is similar to traditional hosting, where
a business uses the hosted environment as a logical extension of the onpremises data center. The servers (physical and virtual) are rented on an asneeded basis, and the IT professionals who manage the infrastructure have full
control of the software configuration. Some providers may even allow
flexibility in hardware configuration, which makes the service more expensive
compared to an equivalent PaaS offering.

Platform as a Service (PaaS). PaaS provides a platform on which to build and
run custom applications as services. The users could be independent software
vendors, value-added service providers, enterprise IT shops, or anyone who
needs custom applications. PaaS offers hosted application servers that have
near-infinite scalability because of the large resource pools they rely on. PaaS
also offers necessary supporting services, such as storage, security, integration
infrastructure, and development tools.

Software as a Service (SaaS). SaaS is a software delivery business model in
which a provider or third party hosts an application and makes it available to
customers on a subscription basis. SaaS customers use the software running
on the provider’s infrastructure on a pay-as-you-go basis.

For more information about delivery models, see the link to the MSDN article,
“Microsoft Azure for Enterprises” in the Resources section.
Page 2
|
Making security a priority when moving applications and data to the cloud
Challenges faced by Microsoft IT
The biggest challenges for Microsoft IT were not technology questions. Microsoft
IT realized that migrating 2,100 LOB applications to the cloud required a change in
corporate culture. The mindset needed to change from creating technology
solutions to solving business problems.
The team also found that they needed to change how they thought about security.
They needed to shift their approach to data security from an on-premises approach
to a cloud approach.
For example, Microsoft IT realized that:

They would not fully own the network resources that they wanted to protect.

They could not always control the path of data from source to destination.

Guarding the network edge was no longer enough to protect applications and
data.

They would need to shift their mindset from protecting networks to
monitoring for and responding to attacks.

They needed to be very good at detecting and responding to attacks.
A second change was acknowledging that user behavior is a huge security risk. A
statistically significant internal survey showed that:

Twenty-three percent of users overshare data.

Blocking an action does not guarantee compliance.

Users have a number of resources available that might allow them to
circumvent security controls. For example, users may share information by
using non-IT governed services.

Those with greater awareness about data classification take the greatest risks
when sharing data.
A related area was information sharing within an organization. For example, tools in
Azure let users view information about applications that can be helpful in the
development and optimization process. Microsoft IT realized that sharing available
information was both an opportunity and a challenge. The challenge was to
prevent oversharing of data by identifying the users to whom that information was
relevant.
Microsoft IT also identified device proliferation, management certificate
proliferation in Azure, and single-factor authentication as security risks.
The chief goals for this project were to:

Migrate applications and data to the cloud, and

Provide









IT Showcase Technical Case Study
Physical security
Network security
Identity management
Vulnerability analysis and patch management
Logging and monitoring
Antimalware
Host, and application security
Incident response
Threat intelligence
Page 3
|
Making security a priority when moving applications and data to the cloud
Governance, risk, and compliance related technology objectives for this project
included:

Understand the cultural shift at Microsoft regarding security and how it affects
moving applications to Azure. How does the emphasis on detect and respond
change the security model at Microsoft?

Determine how using data analytics to help understand user behavior changes
the security model, including how user attestation affects behavior. This would
let the team leverage the improved security features in the cloud.
Solution
Physical security
The move to Azure let Microsoft IT concentrate on monitoring networks,
aggregating data, and then analyzing that data. Because the physical security of
the network was outsourced to Azure, Microsoft IT was able to focus on improving
security through logging, auditing, and analysis instead of devoting resources to
physical security.
The Azure facility, which also hosts Office 365, and staff provide both physical
security and monitoring, including:

Perimeter security.

Fire suppression.

Multi-factor authentication for building access.

A 24/7 global incident response team to identify, investigate, and resolve
security incidents and vulnerabilities.
For more information about the security and privacy features in Azure, visit the
Microsoft Azure Trust Center (see link in the Resources section).
Network security
Azure is designed to be secure and resilient to attack. However, as part of their
security strategy, Microsoft IT assumes that a system will be breached. Microsoft IT
uses a number of tools and techniques to monitor for attacks and intrusion
attempts. The events and data are aggregated and analyzed.
Microsoft IT still uses some pre-cloud tools and techniques, including:

Edge firewall logs, router logs, and external balancer logs.
Note: The availability of this data depends on where the
application and data reside and where the client is located.
IT Showcase Technical Case Study

Host firewall events that log the details of denied inbound connections that
are hacking or scanning attempts. These events also include details of
outbound attempts to send data to known bad destinations or attempts to
gain command and control.

Intrusion detection systems identify network devices that are at risk or already
compromised.

Data leakage protection events indicate data is being sent to inappropriate
destinations.
Page 4 |
Making security a priority when moving applications and data to the cloud
Microsoft IT also relies on cloud tools and techniques for intrusion detection,
including:

Collecting events that indicate anomalous network behavior, such scanning,
malware, or propagation.

User education and attestation to help reduce the frequency of risky behavior.

Network and application segmentation to help reduce network vulnerability.

Azure Active Directory (AAD) security information that can show improbable
logon patterns or brute force attacks; for example, if the same user tries to log
on from different locations in a short time, or if the same user tries to log on
repeatedly in a short time.

Azure Diagnostics, which leverages diagnostic data from an application
running in Azure. The diagnostic data can be leveraged for auditing,
debugging and troubleshooting, measuring performance, monitoring resource
usage, traffic analysis and capacity planning, and auditing.
Note: Not all of the resources listed above are available to
Microsoft IT on all delivery platforms. The availability of a tool or
technique is platform dependent.
It is important that infrastructure and applications be built according to Azure and
Microsoft IT standards. If a virtual machine or application is built outside of these
standards, Microsoft IT cannot monitor the resource.
Microsoft IT uses the Visual Studio Application Insights tool (see link in the
Resources section). Microsoft IT uses Application Insights to monitor application
health and performance. Potentially, Application Insights can help Microsoft IT
detect intrusions and attacks.
The Application Insights tool can also send performance and telemetry data to the
Azure portal for review. In the Azure portal, dev/ops staff can review information
that was formerly only available to infrastructure or security teams. This makes
important information about the application available to relevant users who know
the most about it. For example, information about application performance can be
presented to the dev/ops team while intrusion detection and attack information is
reported to a different group. While this is a benefit, Microsoft IT advises diligence
when determining the groups that see the different types of information to not
under-share or overshare information.
Identity management
AAD offers corporate standard security measures such as Microsoft Azure MultiFactor Authentication (MFA) and integration with SAML 2.0, WS-Federation, and
OpenID to help provide and manage access to applications and data.
Typically, MFA uses a user name and password with one of the following:

Smart card

Virtual smart card

PhoneFactor
Microsoft IT uses smart cards for authentication. It also uses PhoneFactor for users
that log in from a phone or other device. PhoneFactor uses phone calls to verify
identity and is available as Azure Multi-Factor Authentication. PhoneFactor helps
secure on-premises and cloud resources that use AAD.
IT Showcase Technical Case Study
Page 5
|
Making security a priority when moving applications and data to the cloud
The IaaS environment managed by Microsoft IT uses ExpressRoute connectivity. In
this IaaS environment, the domain is extended into the cloud. The on-premises
Active Directory Domain Services installation synchronizes with AAD. Microsoft IT
intends to use AAD as the primary source for authentication. The use of AAD for
identity management solves the problem of management certificate sprawl, which
Microsoft IT has identified as a major problem.
Vulnerability analysis
Microsoft conducts regular penetration testing to improve Azure security controls
and processes. Microsoft has also established a policy for customers to conduct
authorized vulnerability testing on their applications hosted in Azure.
Note: Penetration testing requires a seven-day notice and
approval from Azure Customer Support.
Both Azure and Office 365 have teams dedicated to penetration testing. Microsoft
IT has a team that continually tests for endpoint vulnerabilities on Microsoft IT
resources in Azure.
Logging and monitoring
In Azure, a set of operating system security events are enabled by default.
Administrators can add, remove, or delete these events. In addition, Azure includes
HDInsight, a tool to centrally aggregate and analyze large sets of event data.
Microsoft IT uses HDInsight and Azure machine learning to store and analyze large
sets of security data.
In the hybrid IaaS environment, Microsoft IT analyzes host service logs, such as
those provided by Internet Information Services, to detect network intrusions and
attacks. Host service logs help Microsoft IT detect connection patterns that are
abnormal or not allowed. For example, host service logs can contain information
about network volume attacks or URL manipulation.
Microsoft IT advises using deployment templates when creating resources. The use
of templates creates a consistent network security configuration. This provides
Microsoft IT with a baseline for detecting a security event before it becomes a
compromise. The Microsoft IT templates also reduce risk by configuring
appropriate file sharing protocols, opening appropriate ports, and defining security
groups to control access.
Office 365 on the SaaS delivery model offers many security features. Information
such as who is accessing what document from what device is displayed in a
dashboard. The data displayed in the dashboard is much richer than the data
returned when just monitoring the network.
Office 365 also includes the Reports page. The Reports page provides quick access
to user and administrator activity audit reports in Office 365, SharePoint Online,
and Exchange Online. The Reports page also provides access to AAD audit logs,
mobile device management information, and data leakage protection. These
dashboards and reports allow Microsoft IT to respond more quickly to possible
intrusions.
Antimalware, host, and application security
Azure offers both antimalware and distributed denial-of-service (DDoS) monitoring
to improve Azure security. The antimalware and DDoS monitoring can be enabled
in the subscription or by using APIs.
IT Showcase Technical Case Study
Page 6
|
Making security a priority when moving applications and data to the cloud
Azure has a DDoS defense system that helps prevent attacks against the Azure
platform services. It uses standard detection and mitigation techniques such as SYN
cookies, rate limiting, and connection limits.
Azure DDoS protection also benefits applications. However, it is still possible for
applications to be targeted individually. Therefore, customers should actively
monitor their Azure applications. For more information, see “Collect Logging Data
by Using Azure Diagnostics” in the Resources section.
Proxy devices (such as web application firewalls) that terminate and then forward
traffic to endpoints can run on a virtual machine, and provide protection against an
even broader range of DDoS and other attacks (for example, low-rate, HTTP, and
application-layer threats).
Some available virtual solutions are also capable of both intrusion detection and
prevention.
More instances of an application can be deployed to handle the potentially higher
load generated by an attack. For more information on these techniques, see
“Disaster Recovery and High Availability for Azure Applications” in the Resources
section.
If a customer notices their application is under attack, they should contact Azure
Customer Support (link in Resources) to receive assistance. Azure Customer
Support personnel are trained to react promptly to these types of requests.
In addition to the default Azure antimalware services, Microsoft IT collects and
analyzes antimalware and antivirus logs on the host systems. This provides a list of
active, cleaned, or quarantined viruses and malware.
In Azure, Microsoft IT currently installs antimalware and other security
enhancements on domain-joined machines connected by Microsoft Azure
ExpressRoute in the standard image and via group policy. For non-domain-joined
machines, they use Azure API to deploy and monitor this security capability.
Incident Response
Both Azure and Office 365 have 24/7 global incident response teams on-call to
identify, investigate, and resolve security incidents and vulnerabilities in Microsoft
software. The detection of a security event alerts engineering and communication
teams to develop a solution and provide guidance to customers.
Note: Exceptions are available for some policies and standards.
Microsoft IT is committed to being very good at responding to events that violate
policy and standards. In addition, Microsoft IT does the following to monitor and
respond to security events:
IT Showcase Technical Case Study

Microsoft IT examines incoming files for malware and advanced persistent
threats.

In Office 365, Microsoft IT uses signaling to warn users of risky behavior. The
user receives a message in the notification bar when they perform an
inappropriate action. Signaling makes users more accountable for their
actions.

Office 365 can scan and remove potentially harmful attachments and content
before the data is delivered. The harmful files are also removed from the
Exchange file store.
Page 7 |
Making security a priority when moving applications and data to the cloud
Threat intelligence
Azure also hosts threat information that is shared with Internet service providers
and computer emergency response teams. This threat information is available in
near real-time through the Cyber Threat Intelligence Program, C-TIP. This program
provides information about corporate and consumer systems that are infected with
malware.
Microsoft IT uses up-to-date block list and signature information sourced from
network security vendors and customers. This threat intelligence program helps
Microsoft IT be proactive in monitoring for security events. This information is also
available in Azure to help customers detect and respond to intrusions.
Governance, risk, and Azure compliance
Azure provides compliant services that are independently verified by the
International Organization for Standardization, Service Organization Controls, and
others. This makes it easier and more cost effective to deploy applications and
infrastructure in Azure.
Providing good guidance on remaining compliant with established standards is a
focus for Microsoft IT. The team works with application and infrastructure owners
to verify that they are doing the right things to remain compliant. This compliance
enables Microsoft IT to use established methods to monitor resources.
A resource must be available—it must be “seen”—for Microsoft IT to monitor it for
problems. To be visible, the resource must comply with Azure and Microsoft IT
standards. If Microsoft IT detects a change or event that presents a security risk, the
resource owner is notified about the problem. Microsoft IT also consults with the
resource owner regarding security and compliance issues if multiple problems are
detected.
When considering governance, risk, and compliance, Microsoft IT has the same
responsibilities and concerns as any Azure customer. Microsoft IT recommends
following a three-part model:

Follow up on customer responsibilities. There are tasks in Azure that are solely
the responsibility of the customer. For example, the customer is responsible for
reviewing and evaluating security logs. Customers may need to operationalize
these responsibilities.

Validate configurations according to standards and policies. There are many
configurations and settings in Azure. Customers should make sure that their
configuration adheres to their corporate standards and policies.

Follow the guidelines in the Azure Trust Center (see link in the Resources
section).
Data classification
Microsoft IT regards data classification as extremely important. Data is classified
according to its business impact on a company.
Note: How data is classified may vary in different industries.
IT Showcase Technical Case Study
Page 8
|
Making security a priority when moving applications and data to the cloud
Microsoft classifies data as High Business Impact (HBI), Medium Business Impact
(MBI), Low Business Impact (LBI), or Public (Figure 1).
Figure 1: Data classification used by Microsoft
Correctly classifying data lets Microsoft IT use appropriate security controls
(Figure 2).
Figure 2: Security controls by data classification
For more information about how Microsoft classifies data internally, see “Data
Classification at Microsoft” (link in the Resources section).
Office 365 has additional controls to reduce the risk of data being compromised.
For example, a site creator must attest to the type of data (HBI, MBI, or LBI) that will
be hosted when they create a SharePoint site. By default, sites that host higher risk
data are created with more restricted access.
Additionally, Office 365 uses DLP Policy Tips and data encryption that uses Rights
Management Service to reduce risk when transmitting data.
Benefits

IT Showcase Technical Case Study
Better understanding of cloud security. The lack of a traditional network
“edge” forced Microsoft IT to shift their focus from protecting the network by
preventing network intrusion to monitoring for and responding to network
Page 9
|
Making security a priority when moving applications and data to the cloud
intrusions. Collecting and analyzing logs from edge firewalls, routers, and
external balancers to ensure device integrity is an important part of the
monitoring process. Microsoft IT assumes network intrusions as part of their
security strategy,

Effective use of web analytics. Microsoft IT has also learned how to be
proactive. The use of web analytics enables Microsoft IT to identify risks before
an issue occurs. The team uses signaling to warn users of risky behavior and
users must confirm their actions. The effective use of analytics has also helped
the team better understand user behavior.

Leverage cloud capabilities. Microsoft IT has learned how to leverage the
features of Azure to help strengthen security. By taking advantage of the
services and features in AAD, Microsoft IT developed stronger identity
management and authentication processes to help prevent network intrusion.

Improved protection of intellectual property. Microsoft IT took advantage
of Azure features such as data encryption and data leakage protection policies
to help improve the protection of intellectual property.
Best practices
The biggest change for Microsoft IT was a shift in mindset. Microsoft IT realized
that many of the same security tasks exist in the cloud, but those tasks must be
done differently. The shift from “protect and prevent” to “detect and respond”
required a change in corporate culture as well as in the technology.
In addition to improved detection and response tools and techniques, Microsoft IT
learned that:
IT Showcase Technical Case Study

Moving to the cloud is an opportunity to rethink network security.

Outsourcing physical infrastructure security and maintenance to a trusted
cloud service provider is an opportunity to improve security through logging,
monitoring, and analysis.

It is easier to make a data center look like a cloud than to make a cloud look
like a data center. The move to the cloud requires a change in mindset. If you
do things in the cloud the same way as in a data center, it will be more
expensive.

Azure provides new capabilities that are required in the modern IT landscape.
However, operationalizing those capabilities can be a challenge.

In the cloud, the development/test role is minimized. Nearly all resources are
devoted to production.

Monitoring the network and users is approved “shadow IT.” The goal is to
monitor all network events instead of placing obstacles in the path of an
attacker.

The use of deployment templates lets stakeholders use the same deployment
logic and helps ensure that the resource can be monitored.

Data classification is extremely important to applying appropriate controls to
help protect data.

Data sharing is a huge risk. The challenge is to identify users that the data is
important to and not overshare the data.

It is crucial to develop applications that take advantage of Azure services and
AAD to help secure applications and data. Move away from using
management certificates.

It is important to define a list of security risks that need to be resolved before
you begin an Azure migration.
Page 10
|
Making security a priority when moving applications and data to the cloud
The project to migrate LOB and productivity applications to the cloud continues,
and Microsoft IT is still learning. The team has added the following goals to the
project:

Create service catalogs and templates to enable safe self-provisioning for
users.

Create an enterprise gallery and curated marketplace.

Simplify security with one standard for all users. Make network security simple
and keep it that way.

Move the remaining applications from the data center to the cloud.
Resources
Get started with Visual Studio Application Insights
https://azure.microsoft.com/en-us/documentation/articles/app-insights-getstarted/
Microsoft Azure Trust Center
http://azure.microsoft.com/support/trust-center/
HDInsight
http://azure.microsoft.com/services/hdinsight
Accessing Hadoop Logs in HDInsight
http://blogs.msdn.com/b/brian_swan/archive/2014/01/06/accessing-hadoop-logsin-hdinsight.aspx
Data Classification at Microsoft
http://www.microsoft.com/enterprise/microsoft-it/reports2014/security/default.html?page=3#fbid=GCNavtJNBrl
Collect Logging Data by Using Azure Diagnostics
https://msdn.microsoft.com/en-us/library/gg433048.aspx
Microsoft Azure for Enterprises by Hanu Kommalapati
https://msdn.microsoft.com/enus/magazine/ee309870.aspx
For more information
For more information about Microsoft products or services, call the Microsoft Sales
Information Center at (800) 426-9400. In Canada, call the Microsoft Canada Order
Centre at (800) 933-4750. Outside the 50 United States and Canada, please contact
your local Microsoft subsidiary. To access information via the web, go to:
www.microsoft.com
www.microsoft.com/ITShowcase
© 2015 Microsoft Corporation. All rights reserved. Microsoft and Windows are either registered
trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their
respective owners. This document is for informational purposes only. MICROSOFT MAKES NO
WARRANTIES, EXPRESS OR IMPLIED, IN THIS SUMMARY.
IT Showcase Technical Case Study