Research shows that companies that are considering a “cloud” platform have various concerns, and that security is at the top of that list. I’ve put together a list of the resources I use for explaining our security posture, and the steps that you need to take to be secure in Windows and SQL Azure. I’ll try and keep this list current – if you don’t see something that you need, leave me a comment below and I’ll research that for you.
Security in any technology should use a multi-layered approach, and that holds true for cloud computing as well. There are things that Microsoft does for security, and things that you need to do to secure your own code and environment. As always, it’s best to discuss these items with a technical professional, but these links should provide you some good background to have those discussions.
This isn’t an exhaustive list; there will be other sources you can use for that, but I have it in a format that I think is easy to follow. Most of the links I show here have references to yet other sources as you need them.
General Information on Cloud Computing Security:
· General Security Whitepaper – answers most questions: http://blogs.msdn.com/b/usisvde/archive/2010/08/10/security-white-paper-on-windows-azure-answers-many-faq.aspx
· Windows Azure Security Notes from the Patterns and Practices site: http://blogs.msdn.com/b/jmeier/archive/2010/08/03/now-available-azure-security-notes-pdf.aspx
· Great Overview of Azure Security: http://www.windowsecurity.com/articles/Microsoft-Azure-Security-Cloud.html
· Azure Security Resources: http://reddevnews.com/articles/2010/08/19/microsoft-releases-windows-azure-security-resources.aspx
· Cloud Computing Security Considerations: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=68fedf9c-1c27-4642-aa5b-0a34472303ea&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MicrosoftDownloadCenter+%28Microsoft+Download+Center
· Security in Cloud Computing – a Microsoft Perspective: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=7c8507e8-50ca-4693-aa5a-34b7c24f4579&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+MicrosoftDownloadCenter+%28Microsoft+Download+Center
Physical Security for Microsoft’s Online Computing:
· The Global Foundation Services group at Microsoft handles our physical security. It’s quite robust, and meets ISO 27001 and SAS-70 requirements. More here: http://www.globalfoundationservices.com/security/index.html
· Microsoft’s Security Response Center: http://www.microsoft.com/security/msrc/
Software Security for Microsoft’s Online Computing:
· Windows Azure is developed using the Trustworthy Computing Initiative - you should follow this as well: http://www.microsoft.com/about/twc/en/us/default.aspx and http://msdn.microsoft.com/en-us/library/ms995349.aspx
· Identity and Access in the Cloud: http://blogs.msdn.com/b/technology_titbits_by_rajesh_makhija/archive/2010/10/29/identity-and-access-in-the-cloud.aspx
Security Steps you should take:
· Securing your cloud architecture, step-by-step: http://technet.microsoft.com/en-us/magazine/gg296364.aspx
· Security Guidelines for Windows Azure: http://redmondmag.com/articles/2010/06/15/microsoft-issues-security-guidelines-for-windows-azure.aspx
· Best Practices for Windows Azure Security: http://blogs.msdn.com/b/vbertocci/archive/2010/06/14/security-best-practices-for-developing-windows-azure-applications.aspx
· Active Directory and Windows Azure: http://blogs.msdn.com/b/plankytronixx/archive/2010/10/22/projecting-your-active-directory-identity-to-the-azure-cloud.aspx
· Understanding Encryption (great overview and tutorial): http://blogs.msdn.com/b/plankytronixx/archive/2010/10/23/crypto-primer-understanding-encryption-public-private-key-signatures-and-certificates.aspx
· Securing your Connection Strings: http://blogs.msdn.com/b/sqlazure/archive/2010/09/07/10058942.aspx
· Getting started with Windows Identity Foundation (WIF) quickly: http://blogs.msdn.com/b/alikl/archive/2010/10/26/windows-identity-foundation-wif-fast-track.aspx