Post image for Microsoft Windows Azure – Secure Development, By Sameer Shelke, Aujas

Microsoft Windows Azure – Secure Development, By Sameer Shelke, Aujas

by tapangarg on May 19, 2011

Confusion and fear have long been the primary reasons for slower adoption of the Cloud. The last few years have seen the landscape becoming “less cloudy”, with services and solutions bringing more assurance to Cloud services users. Today, organizations understand their risk appetite and are posturing towards Cloud adoption.

While doing so, security controls are deployed to manage risks such as privileged user access, data segregation, investigative support, recovery, regulatory compliance, etc. The responsibility of securitylies with the service provider or user. It is chosen, based on the type of the Cloud service being considered.

Most organizations are seen to adopt the Cloud for IaaS or PaaS for business applications. This allows them reasonable control on data and its access, and in turn, the deployed security controls. The Windows Azure Platform, Microsoft’s Cloud platform offering is one of the leaders in the PaaS space, providing customers components like Compute, Storage, CDN, Virtual networks, and AppFabric. The platform provides a range of API built on REST, HTTP, and XML, which allow a developer to interact with the services provided by Windows Azure.

Microsoft also provides a client-side managed class library that encapsulates the functions of interacting with the services. Further, it integrates with Microsoft VisualStudio so that it may be used as the IDE to develop and publish Azure-hosted applications. The Azure platform provides certain security features such as:

  • Identity management and access control
  • Isolation of data through separate physical containers
  • Encryption of data in the fabric
  • Security libraries

Many of the security controls are enabled by integration with other Microsoft and third party products. Organizations or service providers adopting or developing Cloud applications on Azure need to design their security posture using three components.

Enable platform security controls:

Developers must harness the rights tools and APIs to secure the application and data. It is also important that developers understand the risk profile of the application, to ensure that the security controls and integrations are aligned to the value of the application and data.

Develop secure applications:

The applications developed, should be secure by design. This necessitates an understanding of the Azure runtime trust models and the security protections of each Cloud layer, e.g. building of the“Gatekeeper” based design proposed by Azure with the help of design patterns such as control access context, advisor, and interceptor and web roles. Most Windows Azure applications have been built, or will be built using Agile methods. The concept of SDL (Secure Development Lifecycle) addresses security threats throughout the development process by means that include: threat modeling during the requirement definition/design process; following development best practices and code security standards during coding; and requiring various tools for testing and verification before deployment. These proactive checks during development make the software less vulnerable to potential threats after the release.

Equally important is the aspect of security education/awareness building among developers, on principles of secure design and development.

Deploy compliance strategy:

Compliance to regulationsand standards are important for applications, which would be used in specific industry segments, e.g. PCI DSS/PADSS for payment card industry, banking regulations, etc. Most of the compliance requirements cover areas related to software development and management. They require specific technical and process controls to be used, such as masking sensitive information, encryption, bug management, segregation of duties, testing, validation, etc.

Sameer Shelke
Co-founder, Chief Operating Officer & Chief Technology Officer, Aujas.

Aujas (www.aujas.com) is a Global Information Risk Management (IRM) services company. Aujas provides management consulting and technology life-cycle services in the area of information risk.

Related Posts:

  • Rajnikanth

    hi…in the pic above shouldn’t dark green be the service provider and vice versa…in traditional IT…user is responsible and in the SaaS..IT THE SERVICE PROVIDER WHO IS REPSONSIBLE?

    • Rajnikanth

      m sorry..read it wrong…its right!!!

Previous post:

Next post: