BeProduct - Platform Security

Overview

We know that security is job one in the cloud and how important it is that you find accurate and timely information about BeProduct security. One of the best reasons to use Azure for BeProduct applications and services is to take advantage of its wide array of security tools and capabilities. These tools and capabilities help make it possible to create secure solutions on the secure Azure platform. Microsoft Azure provides confidentiality, integrity, and availability of the data, while also enabling transparent accountability.

BeProduct is a public cloud platform hosted on Microsoft Azure that supports the same technologies millions of developers and IT professionals already rely on and trust.

Azure’s infrastructure is designed from facility to applications for hosting millions of customers simultaneously, and it provides a trustworthy foundation upon which businesses can meet their security requirements.

 

Networking

Microsoft Azure includes a robust networking infrastructure to support your application and service connectivity requirements. Network connectivity is possible between resources located in Azure, between on-premises and Azure hosted resources, and to and from the Internet and Azure.

Availability is a key component of any security program. If your users and systems can’t access what they need to access over the network, the service can be considered compromised. Azure has networking technologies that support the following high-availability mechanisms:

  • HTTP-based load balancing

  • Network level load balancing

  • Global load balancing

Load balancing is a mechanism designed to equally distribute connections among multiple devices. The goals of load balancing are:

  • Increase availability – when you load balance connections across multiple devices, one or more of the devices can become unavailable and the services running on the remaining online devices can continue to serve the content from the service

  • Increase performance – when you load balance connections across multiple devices, a single device doesn’t have to take the processor hit. Instead, the processing and memory demands for serving the content is spread across multiple devices.

 

Storage

Azure Storage is the cloud storage solution for modern applications that rely on durability, availability, and scalability to meet the needs of their customers. Azure Storage provides a comprehensive set of security capabilities:

  • The storage account can be secured using Role-Based Access Control and Azure Active Directory.

  • Data can be secured in transit between an application and Azure by using Client-Side Encryption, HTTPS, or SMB 3.0.

  • Data can be set to be automatically encrypted when written to Azure Storage using Storage Service Encryption.

  • OS and Data disks used by virtual machines can be set to be encrypted using Azure Disk Encryption.

  • Delegated access to the data objects in Azure Storage can be granted using Shared Access Signatures.

  • The authentication method used by someone when they access storage can be tracked using Storage analytics.

For a more detailed look at security in Azure Storage, see the Azure Storage security guide. This guide provides a deep dive into the security features of Azure Storage such as storage account keys, data encryption in transit and at rest, and storage analytics.

 

Compute

Azure offers several ways to host web sites: Azure App ServiceVirtual MachinesService Fabric, and Cloud Services. This article helps you understand the options and make the right choice for your web application.

Azure App Service is the best choice to host BeProduct apps. Deployment and management are integrated into the platform, sites can scale quickly to handle high traffic loads, and the built-in load balancing and traffic manager provide high availability. 

App Service web apps provide diagnostic functionality for logging information from both the web server and the web application. These are logically separated into web server diagnostics and application diagnostics. Web server includes two major advances in diagnosing and troubleshooting sites and applications.

The first new feature is real-time state information about application pools, worker processes, sites, application domains, and running requests. The second new advantages are the detailed trace events that track a request throughout the complete request-and-response process.

Azure App Service provides three 9's SLA for web apps and enables you to:

  • Run your websites reliably on a self-healing, auto-patching cloud platform.

  • Scale automatically across a global network of datacenters.

  • Back up and restore for disaster recovery.

  • Manage logs and traffic with integrated tools.

  • SOC2, and PCI compliant.

 

Security Management and Monitoring

Azure provides security mechanisms to aid in the management and monitoring of Azure cloud services.

Azure Security Center helps you prevent, detect, and respond to threats, and provides you increased visibility into, and control over, the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions, helps detect threats that might otherwise go unnoticed, and works with a broad ecosystem of security solutions.

Security Center helps you optimize and monitor the security of your Azure resources by:

  • Enabling you to define policies for your Azure subscription resources according to your company’s security needs and the type of applications or sensitivity of the data in each subscription.

  • Monitoring the state of your Azure virtual machines, networking, and applications.

  • Providing a list of prioritized security alerts, including alerts from integrated partner solutions, along with the information you need to quickly investigate and recommendations on how to remediate an attack.

Antimalware

Microsoft Antimalware for Azure Cloud Services is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.

Microsoft Antimalware is a single-agent solution for applications and tenant environments, designed to run in the background without human intervention. You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.

When you deploy and enable Microsoft Antimalware, the following core features are available:

  • Real-time protection - monitors activity in Cloud Services and on Virtual Machines to detect and block malware execution.

  • Scheduled scanning - periodically performs targeted scanning to detect malware, including actively running programs.

  • Malware remediation - automatically takes action on detected malware, such as deleting or quarantining malicious files and cleaning up malicious registry entries.

  • Signature updates - automatically installs the latest protection signatures (virus definitions) to ensure protection is up-to-date on a pre-determined frequency.

  • Antimalware Engine updates – automatically updates the Microsoft Antimalware engine.

  • Antimalware Platform updates – automatically updates the Microsoft Antimalware platform.

  • Active protection - reports to Azure telemetry metadata about detected threats and suspicious resources to ensure rapid response and enables real-time synchronous signature delivery through the Microsoft Active Protection System (MAPS).

  • Samples reporting - provides and reports samples to the Microsoft Antimalware service to help refine the service and enable troubleshooting.

  • Exclusions – allows application and service administrators to configure certain files, processes, and drives to exclude them from protection and scanning for performance and other reasons.

  • Antimalware event collection - records the antimalware service health, suspicious activities, and remediation actions taken in the operating system event log and collects them into the customer’s Azure Storage account.

 

Site Recovery

An important part of your organization's BCDR strategy is figuring out how to keep corporate workloads and apps up and running when planned and unplanned outages occur. Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they are available from a secondary location if your primary location goes down.

Site Recovery:

  • Simplifies your BCDR strategy — Site Recovery makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single location. Site recovery orchestrates replication and failover but doesn't intercept your application data or have any information about it.

  • Supports failover and recovery — Site Recovery provides test failovers to support disaster recovery drills without affecting production environments. You can also run planned failovers with a zero-data loss for expected outages, or unplanned failovers with minimal data loss (depending on replication frequency) for unexpected disasters. After failover, you can failback to your primary sites. Site Recovery provides recovery plans that can include scripts and Azure automation workbooks so that you can customize failover and recovery of multi-tier applications.

  • Eliminates secondary datacenter — You can replicate to a secondary on-premises site, or to Azure. Using Azure as a destination for disaster recovery eliminates the cost and complexity of maintaining a secondary site. Replicated data is stored in Azure Storage.

 

Security Features Implemented to Secure the Azure Platform:

The features listed following are capabilities you can review to provide the assurance that the Azure Platform is managed in a secure manner. Links have been provided for further drill-down on how Microsoft addresses customer trust questions in four areas: Secure Platform, Privacy & Controls, Compliance, and Transparency.