Microsoft Azure’s comprehensive approach to cloud vulnerabilities

Ganesh Chauhan, Technical Support Specialist, Microsoft Azure.

Our digital world is changing, and cybercriminals are becoming more persistent, sophisticated, and driven. As threats and risks multiply, trust is more important than ever. Customers must be able to put their trust in the technology platforms they use to build and run their businesses. As one of the largest cloud service providers, we build trust by assisting our customers in being secure from the beginning and doing more with the built-in, embedded, and out-of-the-box security of our cloud platforms.

Our security strategy is based on defence in depth, with layers of protection built into all stages of platform and technology design, development, and deployment. We also emphasise transparency, ensuring that customers are aware of how we are constantly working to learn and improve our offerings to help mitigate today’s cyberthreats and prepare for tomorrow’s cyberthreats.

We highlight our extensive security commitments from the past, present, and future in this blog, as well as where we see opportunities for continued learning and growth. This article is the first in a four-part series on Azure Built-In Security, which will share lessons learned from recent cloud vulnerabilities and how we’re applying these lessons to ensure our technologies and processes are secure for customers. Transparently sharing our learnings and changes is part of our commitment to establishing trust with our customers, and we hope that other cloud providers will follow suit.

Our security commitments: the past, present, and future

Microsoft has been and continues to be deeply focused on customer security and platform security for decades. This dedication is reflected in our long history of pioneering security best practises, from on-premises and software to today’s cloud-first environments. In 2004, we pioneered the Security Development Lifecycle (SDL), a framework for how to build security into applications and services from the ground up, which has had a far-reaching impact. SDL is currently being used as the foundation for built-in security in important initiatives such as international application security standards (ISO/IEC 27034-1) and the White House’s Executive Order on Cyber Security.

However, as security leaders and practitioners are well aware, security’s job is never done. Constant vigilance is required. As a result, Microsoft is currently investing heavily in internal security research as well as a robust bug bounty programme. Microsoft employs over 8,500 security experts who are constantly focused on vulnerability discovery, understanding attack trends, and addressing security issue patterns. Customers, Microsoft, open-source software, and our industry partners all benefit from our world-class security research and threat intelligence.

We also invest in one of the most proactive Bug Bounty Programs in the industry. Microsoft awarded $13.7 million in bug bounties across a wide range of technologies in 2021 alone. Over the last year, there has been an increase in externally reported vulnerabilities affecting several cloud providers, including Azure. While vulnerabilities are not uncommon in the industry, Microsoft is of greater interest to researchers and security competitors alike as a leading cloud provider and the number one security vendor. This is why, beginning in 2014, our public bounty programme was the first to include cloud services, and in 2021, we expanded the programme to include higher rewards for cross-tenant bug reports. As expected, this piqued the interest of even more external security researchers in Azure, culminating in the awarding of multiple cross-tenant bug bounties. Whatever the reason, these discoveries aided in the further security of specific Azure services and our customers.

Finally, we believe that security is a team sport, as evidenced by our involvement in the NIST Secure Software Development Framework (SSDF) and our $5 million investment in the OpenSSF Alpha-Omega project.

Our commitment to security is unwavering, as evidenced by our decades-long leadership of SDL to present-day vulnerability discovery, bug bounty programmes, and collaboration contributions, and it continues well into the future with our commitment to invest more than $20 billion in cybersecurity over the next five years. While building in security from the start is not new at Microsoft, we recognise that the security landscape is constantly changing and evolving, and our learnings should follow suit.

Our most recent discoveries and advancements for a more secure cloud

A growth mindset is an important part of our culture at Microsoft. Internal and external security researchers’ findings are critical to our ability to further secure all of our platforms and products. We conduct in-depth root cause analysis and post-incident reviews for every report of a vulnerability in Azure, whether discovered internally or externally. These reviews enable us to reflect on and apply lessons learned at all levels of the organisation, and they are critical to ensuring that Microsoft continues to evolve and build in security.

We are improving in three key dimensions based on insights gained from recent Azure vulnerability reports. These advancements improve our response process, broaden our internal security research, and allow us to continuously improve how we secure multitenant services.

  1. Response that is integrated

Several lessons from the past year have focused our attention on areas where we know we need to improve, such as reducing response times. This is being addressed throughout our Integrated Response processes, which are uniting internal and external response mechanisms. We began by increasing the frequency and scope of our Security LiveSite Reviews at the executive and lower levels. We are also working to improve the integration of our external security case management system with our internal incident communication and management systems. These modifications shorten the average time to engagement and remediation of reported vulnerabilities, further improving our rapid response.

  1. Hunting for Cloud Variants

We have expanded our variant hunting programme to include a global and dedicated Cloud Variant Hunting function in response to cloud security trends. Variant hunting identifies additional and similar vulnerabilities in the impacted service, as well as similar vulnerabilities in other services, to ensure more thorough discovery and remediation. This also leads to a better understanding of vulnerability patterns, which leads to more comprehensive mitigations and fixes. A few highlights from our Cloud Variant Hunting efforts are listed below:

  • We identified variants and resolved over two dozen unique issues in Azure Automation.
  • We identified significant design improvements in Azure Data Factory/Synapse that further harden the service and address variants. We also collaborated with our supplier and other cloud providers to address risks more broadly.
  • We identified multiple variants in Azure Open Management Infrastructure, our researchers published CVE-2022-29149, and we drove the development of Automatic Extension Upgrade capabilities to reduce customer remediation time. Customers using Azure Log Analytics, Azure Diagnostics, and Azure Desired State Configuration are already benefiting from our Automatic Extension Upgrade feature.

Furthermore, Cloud Variant Hunting proactively identifies and resolves potential issues across all of our services. This includes many known as well as novel classes of vulnerabilities, and in the coming months, we will share more details of our research to benefit our customers and the community at large.

  1. Secure multitenancy

We continue to evolve our Secure Multitenancy requirements, as well as the automation we use at Microsoft to provide early detection and remediation of potential security risk, based on learnings from all of our security intelligence sources. As we examined Azure and other cloud security cases over the last few years, both our internal and external security researchers discovered novel approaches to breaking down some isolation barriers. Microsoft invests heavily in proactive security measures to prevent this, so these new findings assisted in determining the most common causes and ensuring that we were committed to addressing them within Azure via a small number of highly leveraged changes.

We are also doubling down on our defence in depth approach by requiring and applying even more stringent standards for Compute, Network, and Credential isolation across all Azure services, especially when consuming third-party or OSS components. We will continue to work with the open source community, such as PostgreSQL, and other cloud providers on features that are highly desirable in multitenant cloud environments.

This work has already resulted dozens of distinct findings and fixes, the vast majority (86 percent) of which can be attributed to our specific improvements in Compute, Network, or Credential isolation. We are expanding internal Dynamic Application Security Tests (DAST) to include more checks for validating Compute and Network isolation, as well as adding new runtime Credential isolation check capabilities, as part of our automation improvements. In the meantime, our security experts continue to examine our cloud services, validate that they meet our standards, and develop new automated controls for the benefit of our customers and Microsoft.

Based on the shared responsibility model for cloud security, we recommend that our customers use the Microsoft cloud security benchmark to improve their cloud security posture. We are working on a new set of recommendations focusing on multi-tenancy security best practises, which will be published in our next release.

In short, while Microsoft has a long and continuing commitment to security, we are constantly growing and evolving our learnings as the security landscape evolves and shifts. In this spirit of continuous learning, Microsoft is addressing recent Azure cloud security issues by improving secure multitenancy standards, expanding our cloud variant hunting capacity, and developing integrated response mechanisms. Our enhancements, as well as the scope of our security efforts, demonstrate our leadership and decades-long commitment to continuous improvement of our security programmes and raising the bar for security industry-wide. Microsoft remain committed to incorporating security into all phases of design, development, and operations so that our customers and the rest of the world can build with confidence on our cloud.

Professional Labs is the best cloud managed service provider in Saudi Arabia; for more information, please contact us.  Contact Us | Professional labs (prolabsit.com)