Microsoft Amps up Azure's Security Features
Among the newest security features for Microsoft's Azure is the ability to authenticate users to software-as-a-service apps via Azure Active Directory.
At Microsoft's annual TechEd conference in Houston last month, the software giant revealed a number of new initiatives on the security front. In particular, the theme of mobile-first cloud-first (or vice versa depending on who's talking) was highlighted from the first keynote and throughout the week.
Microsoft's Azure cloud platform was recently renamed to drop the Windows association in an effort to highlight the fact that Azure does more than just run Windows in the cloud. You can see the evidence of this push on multiple fronts, from the support for a wide range of Linux guest virtual machines to support for popular open source programming languages.
The mobile-first emphasis has also taken on a new tone, with a wide range of announcements for non-Microsoft mobile devices. At the management level Microsoft has invested in their Intune product to add support for a large number of mobile devices. Working in conjunction with System Center 2012 Configuration Manager, you get the ability to do things like control device settings to include passwords, data encryption, roaming and the ability to install new applications. The Enterprise Mobility Suite product offering announced in March includes Azure Active Directory (AD) premium, Azure Record Management System (RMS) and Windows Intune.
Azure Active Directory
Establishing identity is, without doubt, one of the key aspects of any security solution. For Microsoft, the critical functional piece to identity is Active Directory. Azure AD provides authentication services outside the corporate firewall while maintaining the ability to control access from a familiar console. Azure Active Directory fully integrates with an on-premises AD to provide a link between corporate users, their permissions and the Azure cloud.
One of the newer features shown off at TechEd is the ability to authenticate using Azure AD to a wide range of software-as-a-service (SaaS) applications, including Box.com, Dropbox, Concur travel services and Salesforce.com. A complete list of currently supported SaaS apps is available for browsing on the Microsoft Azure website.
Figure 1 shows the "add an application for my organization to use" screen from the Azure Active Directory management panel. From the figure you can see the current number of applications is 1,648. This wizard guides you through the process of configuring one of the apps and then authorizing its use to any user in your Azure AD list.
Microsoft's mobile device strategy has seen a gradual adoption of non-Microsoft devices over time. At TechEd the phrase "use the devices you love to be productive" was frequently repeated and demonstrated on stage. Protecting these devices uses a layered approach to provide as little or as much protection as necessary.
At the information protection level Microsoft has announced a new app wrapper tool distributable via Intune to control things like copy-and-paste. With this feature enabled, you won't be able to copy information from the company email account into a non-secure personal email account -- or any other application for that matter.
Azure RemoteApp is a new capability announced at TechEd and currently available in preview. It's basically a cloud version of the Windows Server RemoteApp capability running any of a list of applications remotely on Azure using a Remote Desktop application as the user's connecting point. Microsoft released versions of its RDP application to the Apple and Google Play stores about seven months ago and has seen a significant number of downloads of each. This new capability requires an updated version of these apps in order to connect to the Azure service.
Azure RemoteApp also supports custom line-of-business (LOB) applications which you can publish to Azure to make them accessible from essentially anywhere you can get an Internet connection. Since the technology is based upon running a remote desktop session on the client, you have the ability to publish literally any application that runs on Windows. The key piece of this capability is the fact that the application runs on the Azure platform, with the ability to scale up or down as demand dictates.
Microsoft Rights Management on Azure
Inadvertent security incidents can hurt a corporation just as much as intentional ones. It's just too easy to send an email with a document attached to the wrong person by selecting an addressee with either the same or a similar name as the intended recipient. Microsoft introduced a new rights management feature to help solve this problem for Microsoft Office and Adobe PDF documents. Microsoft Rights Management (RMS) comes as an on-premises solution and in the cloud as Azure RMS.
Once installed, the Azure RMS client provides easy access to document protection tools from within the entire Office suite as well as the Windows file manager (see Figure 2). After a document has been protected, only specific users with access rights will be able to open or view the document. The less intrusive and cumbersome the process of protecting information is, the more likely users will go to the trouble of doing it.
You can try out Microsoft RMS for yourself by going to the portal page where you can download the RMS sharing application for desktop computers and mobile devices.
Microsoft uses the term data governance to identify the policies and enforcement tools covering all the sensitive information within an organization. It encompasses a wide range of applications and file types and uses RMS wherever possible to help prevent both overt and inadvertent spillage. The Microsoft Outlook integration has the ability to detect things such as credit card and Social Security numbers and will warn the user to make sure all recipients are authorized to receive the information.
Bottom Line: On Right Path with Azure
It's pretty safe to say that Microsoft understands the security landscape from an enterprise perspective. They've gone to great lengths to listen to customer feedback and to address specific pain points such as accidental document spillage. From a business perspective it's all about reducing cost and improving overall manageability. From an initial look at these new announcements, Microsoft is moving down the right path.
Paul Ferrill has been writing in the IT trade press for over 25 years. He's written hundreds of articles for publications like Datamation, Federal Computer Week, InfoWorld, Network Computing, Network World and PC Magazine and is the author of two books. He is a regular contributor to ServerWatch.com and several other QuinStreet Enterprise properties.