If you are an avid reader of my blog, you may realize that every recent article related to Azure IaaS security these days includes an introduction of my upcoming book titled “Microsoft Azure IaaS Defense in Depth Guide“. This book will cover common security design consideration and guidance on how to apply defense in depth strategy to your system hosted on Microsoft Azure IaaS. You will also learn number of different security practices along with Microsoft Azure built-in features to prevent common attacks (e.g. brute-force attack, DDoS, surface attack). It is not only written for the audience of Azure IT Pro, but also for anyone who is going to move or deploy an infrastructure onto Microsoft Azure. This book will also provide you a serial hands-on lab on building a production-like protected SharePoint Server 2013 farm on Microsoft Azure which can be beneficial to absolute beginner in order to quickly adopt Azure IaaS knowledge before taking off with Microsoft Azure journey.
SharePoint has been a “virtual” companion of my journey since 2008. I do not know how passionate I’m with SharePoint, but when people negatively state that SharePoint is dead I often raise objection against that statement. If you are working with SharePoint, following updates from Microsoft and the community, you probably know that Microsoft still invest on its collaboration platform. However, the investment budget is allocated towards SharePoint Online to strengthen Microsoft Cloud ecosystem. It does not mean the on-premises version is not Microsoft priority. There are massive number of SharePoint on-premises out there in the market. On-premises deployment still has a room in my opinion. The last version of Microsoft SharePoint for on-premises is SharePoint Server 2016, offering several significant improvements upon customer’s voice and demand Microsoft has received since 2013.
If you are working with Microsoft Cloud sometimes, you may have heard about Microsoft Trust Center where Microsoft proves to its customers a trustworthy platform. From the center, Microsoft shows not only compliance achievement but also security privacy and its practices. To Microsoft Azure specifically, the Trust Center is here
Cloud computing is heterogeneously broad, relating to variety of software services to hardware infrastructure. Nevertheless, people are still following the U.S. National Institute of Standards and Technology (NIST), defining three service models:
Connecting directly through RDP to your system is not recommended in a practical security. It is because the RDP connection goes through the Internet which is weak. To add more extra layer of security, you should set up a jump virtual machine (as known as bastion host) which connects privately to your system via Point-to-site VPN. The illustration below shows you the setup target. In this setup, there is a virtual machine which resides in a different virtual network to connect to your private network. There is a Point-to-site connection between the jump virtual network and your private virtual network to secure the connection.
Last month at the Global Azure Bootcamp 2017 in Microsoft Singapore, I presented with folks several security practices along with applying defense in depth strategy to secure your Azure IaaS deployment. In the presentation, I shared four security principles I have found myself during the time working with computer.
We all know when granting permission to an account, this account will receive an invitation email that link to the Microsoft Invitation page. Today when doing some stuffs of authorization, I realized that Microsoft would make something *perhaps not correct* to make people feel scary.
Multi-factor authentication means by its name, giving one more step of authentication to protect your account. The authentication step can be a time-based one-time password sent from a cloud authentication provider such as Google Authenticator, Microsoft Authenticator. The authentication step can also be a one-time code generated from an immediate authentication server sent to your email or your mobile phone in form of SMS message. Sometimes you can see it in form of biology i.e. fingerprint. Whatever it is, after you enter your username and password in such a traditional way, you still need another step to completely get authenticated before having access to your resources. Multi-factor authentication is commonly required in security policy in medium to large organizations, including governmental environment.
If you happen to see a strange securitydata resource group in your Azure subscription, you would be pretty much surprised what the heck it is. You would be angry on someone in your cloud team if the Azure subscription is shared to every member. Even you think of the subscription being hacked by somebody else then you would delete this resource group then change your password. Congrats on having a seriously security awareness which has to be required today in the digital transformation.