In my opinion, this can be summarized in three main points.
- Economics. You can rent computing resources for few dollars an hour, scale up to as much as you need on demand and shut them down when not in use. There is little to no CapEx and very manageable OpEx.
- Productivity. Azure offers several interfaces, including scripting and automation, that allow you to be productive virtually immediately.
- Security. This has been my primary concern for a long time, but Azure now has a comprehensive set of technical features necessary to implement a highly secure solution.
I've been watching Azure since it was first released. Back then, it was a very interesting idea and a great way to waste many hours trying to be productive. Plus, the whole idea of putting highly valuable operational data - let alone financials, PHI or similar extremely confidential data - on a public-facing computer was simply a non-starter. Still, the economic benefits were very compelling. So, I kept watching, intrigued by the possibilities but still somewhat skeptical.
Every few years or so, I'd migrate a Sql Server database or two, build a simple web site on top of them and maybe push a few files to blob storage. Things slowly got better, and my productivity consistently improved every time I worked with Azure. But the security questions still lingered. Just how secure is my stuff?
Fast forward to late summer/fall of 2016, when I did an in-depth evaluation, built a POC, migrated some test data and generally kicked the tires pretty hard.
The platform has matured well. In my opinion, that is in large part due to the leadership of Scott Guthrie, who is responsible for Azure for Microsoft. Regarding my concerns around security and productivity, I found its security capabilities to be robust, plus it now offers extensive scripting possibilities via PowerShell and a command-line interface. The economics continue to improve, bringing compute costs down to the area of pennies per hour in some cases, and Microsoft continues to bring new services online at a rapid pace.
Security professionals often talk about defense-in-depth as a strategy to defend an application against attackers. In this approach, you implement multiple layers of security so that if an attacker defeats one, he or she is promptly faced with another. Think of it as a series of Chinese walls. You can do that with Azure now. A full review of Azure security is too big a topic for a blog post, but here are the highlights of my findings:
First off, physical access to the data centers themselves is highly restricted. Data centers are managed and monitored 24x7x365, surrounded by perimeter fencing, staffed by security personnel, have secure entrances, etc.
At the hardware level, Azure supports whole-disk encryption of a disk attached to a Windows VM using BitLocker. In Linux, you can do the same with DM-Crypt. Customer keys are stored in a special hardware module called the KeyVault, to which Microsoft does not have access. Of course, you can also encrypt your data before copying it to Azure and keep the keys in your own datacenter. For data stored in Azure Sql, TDE (tablular data encryption) is supported.
Storage Service Encryption is available for other data at rest, that is not stored on a VM, such as individual files. Data is encrypted as it is stored, and automatically decrypted as it is read, using 256-bit AES keys. These keys are managed by Microsoft, but the ability for customers to manage these is coming. Other capabilites include Shared Access Signatures, digital certificates and rights management services (RMS) to protect copyrighted content.
For data in motion, Azure's network security groups allow you to control network traffic by source IP/port, destination IP/port and protocol. It also supports HTTPS, SSL/TLS, customer digital certificates and three different VPN options, including a dedicated, high-bandwidth route directly from an ISP to a Microsoft datacenter that does not cross the open internet.
For identity and access management, Azure supports a lightweight version of Active Directory without the need to install a domain controller on a VM. Support for federated identities is also available, allowing an application to rely on third-party identity providers for authentication. In addition, multi-factor authentication and role-based access control of certain resources are available.
All of the above are built-in and available in many combinations and permutations to match your specific requirements. You can also setup pre-built VMs with enterprise software firewalls, including web application firewalls, inside your virtual network if you need advanced defenses.
Of course, you're free to take other measures on your own, such as encrypting PHI at the application level (known in security circles as data-centric encryption) so that you're not relying only on file-level encryption to protect sensitive data. Better yet, set up a way to blind the data so that PHI never gets to the cloud, if it truly doesn't need to be there.
Security in the cloud is no longer a question of technical capability, but of implementing those capabilities properly.