Professional Documents
Culture Documents
“
When it comes to the cloud and the methods used
to audit this expanding technology, Amazon Web
Services (AWS) is not the only major player. There
THE LARGER THE
may not be as many advertisements for Azure, but TECHNOLOGICAL FOOTPRINT
as of 2019, Microsoft was one of the top-three
providers of public cloud services.1 The following
A SERVICE PROVIDER OFFERS,
examines the leading public cloud service providers, THE MORE ATTENTION IT IS
”
including a basic financial analysis, and then
introduces Microsoft Azure and the audit
LIKELY TO RECEIVE FROM
techniques enterprises can use to assess the CYBERCRIMINALS.
Microsoft Azure Platform as a Service (PaaS).
The general audit program outlined here is not Azure.2, 3 As of 2019, AWS was widely accepted as
intended as a prescriptive set of tests that each the market leader in both Infrastructure as a Service
enterprise should conduct; it is meant to serve as a (IaaS) and overall cloud services, finishing the year
foundation for the development of security, risk with an estimated US$35 billion.4 Second place was
and compliance assessments related to assumed to belong to Microsoft, whose
Azure deployments. “Commercial Cloud” portfolio, which includes Azure,
LinkedIn Premium and MS Dynamics, ended 2019
From a security audit and risk perspective, a with US$38 billion in total revenue for all cloud
financial analysis of any service provider allows an services combined.5 Google Cloud ended 2019 in
enterprise to better assess the provider’s maturity third place with US$10 billion in total revenue.6
(e.g., security services offered, market stability,
financial risk from investments, potential for
cyberattacks due to size). The larger the
technological footprint a service provider offers, the
more attention it is likely to receive from
cybercriminals. In addition, rapid market expansion
may lead to larger gaps between the introduction of
new services and the creation and maturation of
associated security capabilities, leading to
increased risk. Assessment of the financial status
of a cloud service provider (CSP) can help IT audit
teams and executive management determine
whether the provider is growing too quickly in an
insecure manner, whether rapid expansion may lead
to increased security breaches and whether growth
is occurring in a way that deviates from the
enterprise risk appetite.
Adam Kohnke, CISA, CISSP, eJPT
Cloud Service Providers Currently serves as the identity and access management team leader for
North American operations at QBE Insurance, Australia’s second largest
It is difficult to declare a definitive winner in the insurer. He has four years of experience in IT audit within the financial
category of top public CSP. Microsoft chooses not services industries and more than six years of IT service management
to publicly disclose total revenue figures specific to experience in the healthcare and construction industries.
ORCHESTRATOR
AZURE PORTAL
virtually represent the enterprise that has for ease of management, such as by application, by
established a relationship with Microsoft Azure; department or by operating environment. Figure 3
they can be single tenants or multitenants.10 All illustrates the hierarchy of tenants, management
tenants are identified by a globally unique identifier groups, subscriptions, resource groups and
(GUID) and rely on the Azure Active Directory (AAD), resources themselves.12, 13
which serves as the digital identity service model
for securing all SaaS, IaaS and PaaS resources Auditing the Azure Cloud Platform
within Azure. The next level in the Azure hierarchy is
the management group. Management groups allow Before an audit or security assessment begins, it is
an enterprise to organize Azure resources into a important to understand which aspects of Azure the
hierarchy of strategic collections, providing another customer is responsible for and which aspects
level of classification and centralized access Microsoft is responsible for, as this will help focus
control that transcends Azure subscriptions; for audit and assurance activities. Similar to AWS,
example, an enterprise can designate a human Azure operates under the shared responsibility
resources (HR) management group to dictate Azure model, where, depending on the type of services the
policy decisions over HR-associated Azure customer subscribes to, management of certain
subscriptions and resources, or it can assign a aspects of Azure, such as patch management, are
marketing management group to define how handled by Microsoft, by the customer or by both
resources allocated to marketing can be deployed (figure 4).14
and accessed. Next, Azure subscriptions are billed
service agreements between the enterprise and Governance Controls
Microsoft, allowing the use of any number of Governance controls are a key factor in shared
Microsoft cloud platforms or services, such as the responsibility. Even though the cloud provider is
Azure PaaS or Office 365 SaaS.11 The final level is primarily responsible for operating certain controls
the resource group, which allows the enterprise to within Azure, the customer has an ethical,
logically group similar resources such as Structured professional and moral responsibility to oversee the
Query Language (SQL) databases or VMs together cloud provider’s activity for every vendor-managed
control to the extent possible.
Azure Active
Directory/Tenant
Policy
Subscription
Policy
Resource Group
Resources
Executive management should clearly define an Governance audits should also assess whether
Azure governance strategy that includes, but is not management has included adequate enforcement
limited to, the number of tenants allowed (single or mechanisms to carry out its governance strategy
multitenant); management groups that are logically through the use of Azure policy, which allows the
organized by business function, geographic location enterprise to control where resources can be
or the like; subscriptions allowed under each deployed (e.g., limiting VM locations to the US
management group, which are further divided by Western Region for the IT management group), how
operating environment, such as product or many and what type of resources can be deployed
development; and strategies to logically group and (e.g., disallowing the creation of a VM with more
dictate the type of deployed resources associated than four central processing units [CPUs]), whether
with each subscription. As part of its governance resources can be created without tagging them, and
strategy, executive management should consider many other compliance scenarios.15 Other key
declaring and routinely assessing the physical governance-related considerations include the
regions where it deploys Azure resources to ensure development, implementation and routine
service availability, which involves determining assessment of a resource-tagging strategy to
whether the region meets regulatory or other support effective cost management, billing
compliance needs and whether the region is forecasts and monitoring of resources that may be
capable of fulfilling the enterprise’s availability, impacted in the future. Finally, a governance audit
business continuity and disaster recovery needs. should consider the implementation of routine
“
Organization Controls (SOC), the Federal Risk and
Authorization Management Program (FedRAMP),
International Organization for Standardization (ISO) THE AUDIT SHOULD ASSESS
27001, and Payment Card Industry Data Security WHETHER MANAGEMENT HAS
Standard (PCI DSS) attestations for Azure.16
ENFORCED THE USE OF
Identity and Access Management MULTIFACTOR
Auditing identity and access management (IdAM)
begins with an assessment of whether AUTHENTICATION (MFA)
management has declared and documented the CONTROLS FOR EACH ROLE OR
”
rationale for role-based access controls (RBACs)
applied to management groups, subscriptions, USER POSING AN ELEVATED
resource groups and the individuals accessing ACCESS RISK.
resources based on their job functions for all Azure
tenants. The concept of management groups
establishes the basis for effective RBAC, but RBAC Another key audit topic at the IdAM level is the use
within Azure can be implemented against of managed service identities (MSIs), which allow a
management groups, individual subscriptions and nonhuman Azure resource, such as a VM or SQL
resource groups. To limit the time and resources database, to authenticate without explicitly
needed to manage access, the enterprise should presenting credentials.18 MSIs can increase security
consider placing related subscriptions and their by allowing Azure to automatically handle rotating
resources under associated management groups credentials associated with each MSI; this requires
and then, to the extent possible, configuring a single much less effort to maintain than prior setups
”
to-point Ethernet or any-to-any IP virtual private
network [VPN]) and the enterprise’s specific
CONFIGURATION SHOULD RESULT IN ALERTS TO
connectivity requirements.22 Each integration point THE APPROPRIATE PERSONNEL.
should be assessed routinely for security
appropriateness and justification to exist, and any
changes to the connection configuration should technology for Windows or dm-crypt for Linux. For
result in alerts to the appropriate personnel. both types of encryption keys, storage in the Azure
Key Vault is recommended, and it is capable of
Encryption centrally managing all necessary encryption-based
Data encryption within Azure depends primarily on activities such as creating, distributing, rotating and
the types of resources and Azure services to which deleting encryption keys, secrets, digital certificates
the enterprise subscribes. The audit should start and connection strings.24 The Azure Key Vault has
with an understanding of the overall data protection its own separate authentication and authorization
or data encryption policy the enterprise has defined function; it can also create multiple vaults for
for Azure. An assessment of that policy should various objects and purposes. The audit should
cover the scope of the tenants, subscriptions and begin by assessing which Azure resources have
so forth to which the policy applies and the been designated to integrate and store encryption
responsible parties who manage the configurations, objects (e.g., keys, certificates) in the Azure Key
encryption keys and the like. The encryption policy Vault; the vaults defined in the Azure Key Vault; the
should also state the accepted algorithms or appropriateness of the users, accounts and end
ciphers (Secure Hash Algorithm [SHA] or Advanced points, such as workstations, that have access to
Encryption Standard [AES]), the minimum manage these encryption objects; and whether
encryption strength of each algorithm (256 bit vs. there is sufficient monitoring to log the users or
512 bit) applied to each resource type that requires MSIs accessing or changing objects stored in the
encryption, and under which scenarios data Azure Key Vault.
encryption should occur (e.g., upon creation, at rest,
in use, in transit).23 Because encryption is the final The audit should then concentrate on whether the
protection against unauthorized data manipulation enterprise has defined capabilities to restore
or loss, it is crucial that the data encryption policy is accidentally or maliciously deleted key vaults and
well planned and comprehensive enough to cover their contents through an evaluation of the soft-
all applicable business resources, has proper delete and purge-protection features available in the
executive-level support, and is subjected to ongoing Azure Key Vault.25 A related audit focus at this level
monitoring via database auditing or virtual desktop is determining whether the enterprise is routinely
checks to ensure sustained compliance. practicing the deletion and recovery of key vaults
and encryption objects to ensure that these
There are many encryption options available for mechanisms work as expected and fully support
data at rest (data stored on a persistent medium emergency recovery efforts related to security
such as a hard disk drive) and data in transit (data breaches or accidents triggered by personnel.
traveling between public or private networked
devices). The Azure disk encryption service allows For any documents, emails or sensitive data
VM disks to be encrypted using either Bitlocker produced using Azure resources, the Azure
“
information with Microsoft so that it can receive
prompt notification of critical security incidents
BECAUSE ENCRYPTION IS THE FINAL affecting the Azure platform. In addition, the
PROTECTION AGAINST UNAUTHORIZED DATA enterprise should subscribe to external threat
intelligence feeds that routinely inform it of
MANIPULATION OR LOSS, IT IS CRUCIAL THAT potential threats impacting Azure resources.
THE DATA ENCRYPTION POLICY IS WELL
Conclusion
PLANNED AND COMPREHENSIVE ENOUGH TO
”
The topics discussed here only scratch the surface
COVER ALL APPLICABLE BUSINESS of security risk and the controls required to address
RESOURCES… it. The companion Azure audit program28 provides a
more comprehensive approach to managing risk
”
assurance will be the primary challenge, requiring THREATS IMPACTING AZURE
enterprises to balance available resources against
emerging threats and the malicious actors behind
RESOURCES.
them. With grit, patience and a measured approach,
enterprises can increase their chances of operating 9 Op cit Microsoft, “What Is Azure?”
securely in the Azure cloud and returning 10 Microsoft, “Quickstart: Set up a Tenant,”
tremendous value to their stakeholders. 12 March 2020, https://docs.microsoft.com/
en-us/azure/active-directory/develop/
quickstart-create-new-tenant
Endnotes
11 Microsoft, “Subscriptions, Licenses, Accounts,
1 Stalcup, K.; “AWS vs Azure vs Google Cloud and Tenants for Microsoft Cloud Offerings, “
Market Share 2020: What the Latest Data 8 October 2019, https://docs.microsoft.com/
Shows,” ParkMyCloud, 5 February 2020, en-us/office365/enterprise/subscriptions-
https://www.parkmycloud.com/blog/aws-vs- licenses-accounts-and-tenants-for-microsoft-
azure-vs-google-cloud-market-share/ cloud-offerings
2 Ibid. 12 Thuru’s Blog, “Democratizing Enterprise Cloud
3 Asay, M.; “Microsoft Keeps Hiding Azure in Azure,” 24 March 2019, https://thuru.net/
Revenue Numbers, but Why?” TechRepublic, 2019/03/24/democratizing-enterprise-
26 April 2019, https://www.techrepublic.com/ cloud-in-azure/
article/microsoft-keeps-hiding-azure-revenue- 13 Microsoft, “Enterprise Governance Management,”
numbers-but-why/ https://docs.microsoft.com/en-us/learn/
4 Clement, J.; “Amazon Web Services: Quarterly modules/intro-to-governance/4-management-
Revenue 2014–2020,” Statista, 4 May 2020, groups
https://www.statista.com/statistics/250520/ 14 Microsoft, “Cloud Security Is a Shared
forecast-of-amazon-web-services-revenue/ Responsibility,” https://docs.microsoft.com/
5 Microsoft, “Annual Report 2019,” en-us/learn/modules/intro-to-security-in-
https://www.microsoft.com/investor/reports/ azure/2-shared-responsibility
ar19/index.html 15 Microsoft, “Define IT Compliance With Azure
6 Dignan, L.; “Top Cloud Providers in 2020: AWS, Policy,” https://docs.microsoft.com/en-us/
Microsoft Azure, and Google Cloud, Hybrid, learn/modules/intro-to-governance/
SaaS Players,” ZDNet, 11 May 2020, 2-azure-policy
https://www.zdnet.com/article/the-top-cloud- 16 Microsoft, “Service Trust Portal,”
providers-of-2020-aws-microsoft-azure-google- https://servicetrust.microsoft.com/
cloud-hybrid-saas/ 17 Microsoft, “Enable Per-User Azure Multi-Factor
7 Microsoft, “What Is Azure?” Authentication to Secure Sign-in Events,”
https://docs.microsoft.com/en-us/learn/modules/ 13 April 2020, https://docs.microsoft.com/
welcome-to-azure/2-what-is-azure en-us/azure/active-directory/authentication/
8 Microsoft, “Tour of Azure Services,” howto-mfa-userstates
https://docs.microsoft.com/en-us/learn/modules/
welcome-to-azure/3-tour-of-azure-services