During my time working with the Government Cloud, I recognized that every on-boarding virtual machine after successfully provisioned needed to apply a script called hardening. Digging into this script, I realized that it contained many security configuration policies. When running this script, Windows will automatically configure Local Security Policy and built-in advanced firewall (for Windows Server).
Microsoft excels at building a solid partnership with service companies around the world. You may not know that on Microsoft Azure, you can involve a security consulting partner to help you perform server vulnerability assessment. Moreover, through Azure Security Center, you receive a recommendation in which you are given the opportunity to allow Qualys to support you.
The ultimate objective of security was to protect data from any authorized access. Confidentiality should emphasize similarly. Controlling access to virtual machine and data sometimes does not work. Through a local attack, an attacker might have your disk where data is stored. In this situation, adding an extra protection layer by encrypting your disk is always a recommended best practice.
When it comes to network defense, demilitarized zone (DMZ) is thought of first. What is so-called demilitarized zone? Is it a very sensitive military zone you should not step into?
In the field of security, DMZ is a separate zone which is not associated to a private or trusted network. It simply stands alone to isolate from your private network to untrusted network. It is difficult to measure the level of trust. Untrusted network is the one which you have very low trust.
If you are working with Microsoft Cloud sometimes, you may have heard about Microsoft Trust Center where Microsoft proves to its customers a trustworthy platform. From the center, Microsoft shows not only compliance achievement but also security privacy and its practices. To Microsoft Azure specifically, the Trust Center is here
Cloud computing is heterogeneously broad, relating to variety of software services to hardware infrastructure. Nevertheless, people are still following the U.S. National Institute of Standards and Technology (NIST), defining three service models:
Connecting directly through RDP to your system is not recommended in a practical security. It is because the RDP connection goes through the Internet which is weak. To add more extra layer of security, you should set up a jump virtual machine (as known as bastion host) which connects privately to your system via Point-to-site VPN. The illustration below shows you the setup target. In this setup, there is a virtual machine which resides in a different virtual network to connect to your private network. There is a Point-to-site connection between the jump virtual network and your private virtual network to secure the connection.
Last month at the Global Azure Bootcamp 2017 in Microsoft Singapore, I presented with folks several security practices along with applying defense in depth strategy to secure your Azure IaaS deployment. In the presentation, I shared four security principles I have found myself during the time working with computer.