This article provides an overview of the core Azure security features that can be used with virtual machines.
You can use Azure Virtual Machines to deploy a wide range of computing solutions agilely. The service supports Microsoft Windows, Linux, Microsoft SQL Server, Oracle, IBM, SAP, and Azure BizTalk Services. So you can deploy any workload and any language on nearly any operating system.
An Azure virtual machine gives you the flexibility of virtualization without buying and maintaining the physical hardware that runs the virtual machine. You can build and deploy your applications with the assurance that your data is protected and safe in highly secure data centers.
With Azure, you can build security-enhanced, compliant solutions that:
Protect your virtual machines from viruses and malware.
Encrypt your sensitive data.
Secure network traffic.
Identify and detect threats.
Meet compliance requirements.
What is Azure Virtual Machines
Azure virtual machines (VMs) are part of Azure's on-demand, scalable computing resources. Virtual machines are an ideal choice when more control over the computing environment is required. With virtualization flexibility, users are relieved from purchasing and maintaining physical hardware. However, maintaining the virtual machine involves tasks such as configuration, patching, and software installation.
Virtual machines: virtual computers within computers
A virtual machine is similar to a physical computer, such as a laptop, smartphone, or server. It includes a CPU, memory, storage disks, and the ability to connect to the internet when required. Although the components of your computer (referred to as hardware) are tangible and physical, VMs are commonly perceived as virtual or software-defined computers residing within physical servers, functioning solely as code.
How Azure Virtual Machines Works
Virtualization involves creating a virtual or software-based version of a computer with specific amounts of CPU, memory, and storage borrowed from a physical host computer or remote server, such as one in a cloud provider's datacenter.
A virtual machine, often referred to as an image, mimics the behavior of a physical computer and can operate in a separate computing environment, typically in a window, to run a different operating system or serve as the user's entire computer experience, as is often the case with many work computers.
The virtual machine is isolated from the rest of the system, ensuring that the software inside the virtual machine cannot interfere with the primary operating system of the host computer.
Azure Virtual Machine Uses
Storing and launching applications in the cloud.
Experimenting with new operating systems, such as beta versions.
Creating a new setup for developers to run development and testing scenarios more easily and quickly.
Creating a backup of your current operating system.
Accessing virus-infected data or running an outdated application by installing an older operating system.
Running software or applications on operating systems for which they were not originally designed.
Antimalware
With Azure, you can use antimalware software from security vendors such as Microsoft, Symantec, Trend Micro, and Kaspersky. This software helps protect your virtual machines from malicious files, adware, and other threats.
Microsoft Antimalware for Azure Cloud Services and Virtual Machines is a real-time protection capability that helps identify and remove viruses, spyware, and other malicious software. Microsoft Antimalware for Azure provides configurable alerts when known malicious or unwanted software attempts to install itself or run on your Azure systems.
Microsoft Antimalware for Azure is a single-agent solution for applications and tenant environments. It's designed to run in the background without human intervention. You can deploy protection based on the needs of your application workloads, with either basic secure-by-default or advanced custom configuration, including antimalware monitoring.
Hardware security module
Improving key security can enhance encryption and authentication protections. You can simplify the management and security of your critical secrets and keys by storing them in Azure Key Vault.
Key Vault provides the option to store your keys in hardware security modules (HSMs) certified to FIPS 140-2 Level 2 standards. Your SQL Server encryption keys for backup or transparent data encryption can all be stored in Key Vault with any keys or secrets from your applications. Permissions and access to these protected items are managed through Azure Active Directory.
Virtual machine disk encryption
Azure Disk Encryption is a new capability for encrypting your Windows and Linux virtual machine disks. Azure Disk Encryption uses the industry-standard BitLocker feature of Windows and the dm-crypt feature of Linux to provide volume encryption for the OS and the data disks.
The solution is integrated with Azure Key Vault to help you control and manage the disk encryption keys and secrets in your key vault subscription. It ensures that all data in the virtual machine disks are encrypted at rest in Azure Storage.
Azure Site Recovery
An important part of your organization's BCDR strategy is figuring out how to keep corporate workloads and apps running when planned and unplanned outages occur. Azure Site Recovery helps orchestrate replication, failover, and recovery of workloads and apps so that they're available from a secondary location if your primary location goes down.
Site Recovery:
Simplifies your BCDR strategy:
Site Recovery makes it easy to handle replication, failover, and recovery of multiple business workloads and apps from a single location. Site Recovery orchestrates replication and failover but doesn't intercept your application data or have any information about it.
Provides flexible replication:
By using Site Recovery, you can replicate workloads running on Hyper-V virtual machines, VMware virtual machines, and Windows/Linux physical servers.
Supports failover and recovery:
Site Recovery provides test failovers to support disaster recovery drills without affecting production environments. You can also run planned failovers with zero data loss for expected outages or unplanned failovers with minimal data loss (depending on replication frequency) for unexpected disasters. After failover, you can fail back to your primary sites. Site Recovery provides recovery plans that can include scripts and Azure automation workbooks so that you can customize failover and recovery of multi-tier applications.
Eliminates secondary datacenters:
You can replicate it to a secondary on-premises site or to Azure. Using Azure as a destination for disaster recovery eliminates the cost and complexity of maintaining a secondary site. Replicated data is stored in Azure Storage.
Integrates with existing BCDR technologies:
Site Recovery partners with other applications' BCDR features. For example, you can use Site Recovery to help protect the SQL Server back end of corporate workloads. This includes native support for SQL Server Always On to manage the failover of availability groups.
Virtual networking
Virtual machines need network connectivity. Azure requires virtual machines to be connected to an Azure virtual network to support that requirement.
An Azure virtual network is a logical construct built on the physical Azure network fabric. Each logical Azure virtual network is isolated from all other Azure virtual networks. This isolation helps ensure that network traffic in your deployments is inaccessible to other Microsoft Azure customers.
Security policy management and reporting
Microsoft Defender for Cloud helps you prevent, detect, and respond to threats. It gives you increased visibility into and control over the security of your Azure resources. It provides integrated security monitoring and policy management across your Azure subscriptions. It helps detect threats that might otherwise go unnoticed and works with a broad ecosystem of security solutions.
Defender for Cloud helps you optimize and monitor the security of your virtual machines by:
Providing security recommendations for the virtual machines. Example recommendations include: apply system updates, configure ACLs endpoints, enable antimalware, enable network security groups, and apply disk encryption.
Monitoring the state of your virtual machines.
Compliance
Azure Virtual Machines is certified for FISMA, FedRAMP, HIPAA, PCI DSS Level 1, and other key compliance programs. This certification makes it easier for your own Azure applications to meet compliance requirements and for your business to address a wide range of domestic and international regulatory requirements.
Confidential Computing
While confidential computing is not technically part of virtual machine security, the topic of virtual machine security belongs to the higher-level subject of "compute" security. Confidential computing belongs within the category of "compute" security.
Confidential computing ensures that when data is "in the clear," which is required for efficient processing, the data is protected inside a Trusted Execution Environment https://en.wikipedia.org/wiki/Trusted_execution_environment (TEE - also known as an enclave), an example of which is shown in the figure below.
TEEs ensure there is no way to view data or the operations inside from the outside, even with a debugger. They even ensure that only authorized code is permitted to access data. If the code is altered or tampered, the operations are denied and the environment disabled. The TEE enforces these protections throughout the execution of code within it.
Azure Virtual Machine Benefits
Virtual machines function as individual computers with separate operating systems and applications. However, they maintain complete independence from each other and the physical host machine, which is an advantage. A hypervisor, also known as a virtual machine manager, enables the simultaneous running of different operating systems on different virtual machines. This capability allows running Linux VMs on a Windows OS or operating an earlier version of Windows on a more current Windows OS.
Due to the independence of VMs, they are highly portable. Almost instantaneously, a VM on a hypervisor can be moved to another hypervisor on a completely different machine.
Cost savings
The flexibility and portability of virtual machines provide numerous benefits, including cost savings. Running multiple virtual environments from a single infrastructure significantly reduces the physical infrastructure footprint, resulting in lower maintenance costs and electricity usage.
Agility and speed
Virtualization enables agility and speed. The process of spinning up a VM is relatively easy and quick, simplifying the provisioning of new environments for developers and expediting dev-test scenarios.
Lowered downtime
VMs contribute to decreased downtime. Their portability and ease of movement between hypervisors on different machines make them an excellent solution for backup in the event of unexpected host machine failure.
Scalability
Scalability is another advantage provided by VMs. They facilitate easier scaling of apps by adding physical or virtual servers to distribute the workload across multiple VMs, thereby increasing app availability and performance.
Security Benefits
There are also security benefits associated with virtual machines. Running apps in guest operating systems on VMs allows for the safe execution of potentially insecure applications, protecting the host operating system. Additionally, VMs enable better security forensics and are often used for safe study of computer viruses by isolating the viruses and preventing risk to the host computer.
Comments