How is Microsoft positioning Azure security in Q2 2019?

June 12 2019

Microsoft Azure is a diverse offering, reaching customers across almost every industry imaginable. But the truth about cloud platforms is that many features are only relevant to certain users or particular industries. But if there's one capability area that comes close to being truly "global" among Azure users, it's sure to be security.

Security failure is definitely not an option

Over the past six months, major government contracts for the defense sector have become part and parcel of "cloud wars." The US Department of Defense's demanding standards for its new private cloud for classified data have winnowed the field of potential competitors down to just two: AWS and Azure. While the lengthy federal contracting process continues, it remains unclear which of the two enterprises will ultimately secure the decade-long, multi-billion dollar win. AWS was a first mover in high-level certifications and ultra-secure data centers, staffed by fully vetted US nationals, but Microsoft is doing a good job of playing catchup through its Azure Government and Azure Stack offerings as well as by racing to get new security certifications.

At the end of May, all US Azure regions achieved FedRAMP High certification, meaning that less sensitive federal workloads can be transitioned out of Azure Government regions and into the regular public cloud.

Both the public and private sector are watching with bated breath to see how the big cloud providers' security is working. For the Azure team, any security issue, even in the private cloud could cast doubts on its bid for the DoD JEDI contract, especially amongst risk-averse Pentagon bureaucrats. Of concern recently are reports that public cloud instances are being used to host scams. In May alone, at least 200 tech support scam sites were being hosted on Azure.

In many respects, that's a drop in the bucket compared to the size and scope of Azure as a whole, but even small scale scams or exploits being so much as hosted on the platform can reflective negatively on Microsoft. The Azure team may need to consider more steps in future updates to spot and prevent cybercrime hosting on the platform.

The Azure Security Center team did cite one win on April 8, spotting a cryptocurrency mining attack in real-time, exploiting an RCE vulnerability, and warned the customer in time to stop the attack.

Whether or not Microsoft ultimately wins the JEDI contract, its efforts may prove useful in other large markets. In collaboration with regional partners, it is likely to open secure government and military data centers for many countries in Europe and East Asia or focus more on the Canadian and Australian federal governments. In 2017, Estonia became the first country to create a data embassy—a secure backup of its entire government IT infrastructure in a data center, granted full diplomatic privileges in Luxembourg, signaling a new direction for government cloud projects.

Hardening databases and the network edge

Data in storage is often the target of exploits and preventing access is increasingly key. Therefore, Microsoft added role-based access control for Storage Blobs at the end of March, feeding data into Storage Analytics logs. Just a few days later, on April 3, the team announced Advanced Threat Protection for Azure Storage for detecting anomalous activities. For SQL Databases, Microsoft implemented the App Authentication library at the end of April, which authenticates from existing .NET apps to SQL Database.

Since the roll out of Azure Firewall, the Azure team has made the case that the service is a more scalable and adaptable alternative to network virtual appliances (NVAs), with more features to boot. Although they are on the roadmap for Azure Firewall, NVAs still have a leg up with features such as traffic filtering rules, SSL termination with deep packet inspection, and central management.

Confusingly, Microsoft also released Web Application Firewall for Azure Front Door Service. In spite of the similar nomenclature, WAF is more focused to web apps, with Managed RuleSet pre-configured rules or custom rules and a speciality in OWASP TOP 10 exploits.

Although internal threats exist, most companies probably face their biggest threats from public internet. In Q2, Azure Security Center was retooled with new recommendations to send out alerts for traffic originating from IP addresses flagged by a new algorithm. This process of "network hardening" is intended to close the gaps with existing network security group rules.

Centralizing and automating security

About Eamon McCarthy Earls

As the assistant editor at and, Eamon helps to oversee editorial content on the site and supports site management and strategy. He can be reached at

Before joining, Eamon was editor for at TechTarget, where he covered networking technology, IoT, and cybersecurity. He is also the author of multiple books and previously contributed to publications such as the Boston Globe, Milford Daily News, and DefenceWeb.

More about Eamon McCarthy Earls