The focus of this month's newsletter is a topic that is top of mind for many of the CISOs and IT professionals I talk to these days—cloud security. With more and more organizations around the world leveraging cloud services, understanding how to protect your assets in the cloud and provide users with secure access to those assets is more important than ever. As a result, we have a great security tip from Tom Shinder on penetration testing applications hosted in Azure.
Additionally, Windows 10 is now publicly available! Explore the
business benefits of Windows 10, learn about the
built-in security features, and take advantage of the free
Windows 10 Home and Windows 10 Pro upgrade offer for those on Windows 7 or Windows 8.1. Then, when you're ready to start testing Windows 10 for your organization, download the
Windows 10 Enterprise Evaluation to try Windows 10 Enterprise free for 90 days.
| ||Best regards,|
Tim Rains, Chief Security Advisor
Cybersecurity & Cloud Strategy, Microsoft
Want to share this newsletter with a friend or colleague?
Click here for the online edition and subscription options.
Have feedback on how we can improve this newsletter? Email us at
email@example.com share your ideas.
Security Tip of the Month: Pen Testing Your Applications Hosted In Microsoft Azure
By Tom Shinder, Program Manager, Microsoft Azure Security Engineering
One of the great things about using Microsoft Azure for application testing and deployment is that you don't need to put together an on-premises infrastructure to develop, test, and deploy your applications. All the infrastructure is taken care of by the Microsoft Azure platform services. You don't have to worry about requisitioning, acquiring, and "racking and stacking" your own on-premises hardware. Just dev and deploy!
As a reader of this newsletter, you're likely a security-conscious person. While the dev and deploy mantra sounds great and makes you as agile as agile can be, that fact is that security needs to be job one, not only on-premises, but perhaps even more so in the cloud. That's fine, because you can handle it.
You might already know that Microsoft performs regular
internal penetration testing of our own Azure environment. This is a good thing, as it helps us improve our platform and guides our actions in terms of changing current security controls, introducing new security controls, and improving our security processes. We live by the principle of continuous business improvement, and with Azure platform security, it's our passion.
If penetration testing is good for us, then it's good for you. No, we won't pen test your application for you, but we do understand that you will want to do perform pen testing on your own applications. That's a good thing, because when you enhance the security of your applications, you help make the entire Azure ecosystem more secure.
The trick here is that when you pen test your applications, it might look like an attack to us. We
continuously monitor for attack patterns and will initiate an incident response process if we need to. It doesn't help you and it doesn't help us if we trigger an incident response due to your own due diligence pen testing. What to do?
That leads us to this month's security tip! When you're ready to pen test your Azure-hosted applications, all you need to do is let us know. Once we know that you're going to be performing specific tests, we'll have insight into what's going on and we won't shut you down, as long as your tests conform to the Azure pen testing terms and conditions.
Standard tests that you can perform include:
One type of test that you can't perform is any kind of
Denial of Service (DoS) attack. This includes initiating a DoS attack itself, or performing related tests that might determine, demonstrate or simulate any type of DoS attack.
Are you ready to get started with pen testing your applications hosted in Microsoft Azure? If so, then head on over to the
Penetration Test Overview page (which is also linked to from the
Azure Trust Center) and click the Create a Testing Request button at the bottom of the page. You'll also find more information on the pen testing terms and conditions and helpful links on how you can report security flaws related to Azure or any other Microsoft service.
To keep up to date on the latest security information and topics as related to Microsoft Azure, make sure to bookmark the
Azure Security Blog. Thanks!!! -Tom.
How Microsoft Azure Active Directory helps prevent, detect and remediate attacks to your enterprise
Explore a set of solutions across Active Directory and Azure AD that can help your organization easily identify key risks, and learn how to implement mechanisms across the hybrid enterprise to prevent, detect, and remediate the attacks your organizations may face.
Azure Active Directory: Identity Management as a Service for modern applications
Identity Management as a Service (IDMaaS) is an emerging capability to help developers and organizations manage access to modern applications. Learn more in this on demand session from //build.
Administer your Azure AD directory
Find out how Azure AD can help you manage identities.
Azure AD Privileged Identity Management
Azure AD Privileged Identity Management lets you manage, control, and monitor your privileged identities and their access to resources in Azure AD, and in other Microsoft online services such as Office 365 or Microsoft Intune. Walk through the core scenarios for Azure AD Privileged Identity Management and learn how to put it to work for you.
Manage passwords in Azure AD
Explore the full set of password management capabilities that Azure Active Directory supports, which include self-service password change and reset, administrator-initiated password reset, password management activity reports, and password writeback.
Getting started with Azure security for the IT professional|
Do IT security concerns keep you up at night? You're not alone! Many IT pros want to extend their organization's infrastructure but need reassurance about security. Whether you are researching a hybrid or a public cloud model with Microsoft Azure, the question remains the same: Does the solution meet your own personal and your organization's bar for security, including industry standards, attestations, and ISO certifications?
In this demo-filled Microsoft Virtual Academy course, you can explore these and other hot topics, as a team of security experts and Azure engineers takes you beyond the basic certifications and explores what's possible inside Azure. See how to design and use various technologies to ensure that you have the security and architecture you need to successfully launch your projects in the cloud. Dive into datacenter operations, virtual machine (VM) configuration, network architecture, and storage infrastructure. Get the information and the confidence you need, from the pros who know, as they demystify security in the cloud.
Active Directory core skills jump start
Constantly resetting customer passwords? Want to extend your on-premises Active Directory? Join this Microsoft Virtual Academy session to explore Azure Active Directory (Azure AD) as part of the Enterprise Mobility Core Skills series, arming you with key knowledge to enable enterprise mobility management and to prepare your environment for Windows 10.