As cloud security continues to demand attention, Microsoft has announced new offerings that are aimed at giving customers greater transparency and control over their data in Microsoft Azure.
The computing giant is clearly making an effort to take some of its trustworthy computing ideas from strategy to reality. For instance, on the transparency front, it has launched enhanced activity logs of user, admin and policy related actions, which customers and partners can tap into and use as security and compliance signals through the new Office 365 Management Activity API. This allows customers to build industry-specific solutions for monitoring, analysis and compliance assurance.
Meanwhile, by the end of this year, we will enable a new Customer Lockbox for Office 365, which brings the customer into the approval loop so that they can approve or reject a Microsoft engineer’s request to log into the Office 365 service.
For control, it has added increasing levels of encryption in Office 365. In the coming months, Microsoft will increase the levels of encryption for email to implement content-level encryption in addition to the Bitlocker encryption offered today. And in the next year, customers can require Microsoft to use customer-generated and controlled encryption keys to encrypt data-at-rest.
Also, Microsoft is working with a number of other vendors to enable a variety of appliances, which will give customers greater flexibility in building applications along with higher degree of control on the networking topologies in Azure. These include offerings from F5, Barracuda, Fortinet and others that will be announced in the coming months.
“We have significantly expanded our stable of supported appliances, both in vendors and types, from WAN optimizers to network firewalls,” said Mark Russinovich, CTO of Microsoft Azure, in an interview at RSA 2015. “We want to address both people who have moved to the cloud already, and those who have the cloud on the radar.”
In an earlier keynote at RSA 2015, Microsoft described some of the ways that the shift to the cloud is affecting how businesses think about securing corporate information. But moving beyond a big picture viewpoint, it’s worth asking how companies can actually implement some of these ideas, like shoring up access control with new kinds of authorization credentials like biometrics. Russinovich said that many of the ideas will continue to be strategy rather than practice for a while.
“Everything that security theorists have been talking about for years is still relevant and will continue to be relevant,” Russinovich said, noting that different aspects will roll out at different paces. “Next year I think we’ll see that white listing is still nascent and will take a long time to become pervasive, but tackling shadow IT is a problem that more enterprises will be talking about.”