Azure is an ever-evolving set of cloud-based services from Microsoft, designed to provide businesses with a secure global environment for all of their workload and computing needs. It even allows them to scale out, scale up and scale down as their requirements demand. While it is Microsoft’s duty to maintain this secure infrastructure and all of its configurations against cyber attacks, your company remains responsible for protecting your own hardware, website and software applications and documents from threats. Azure penetration testing enables you to benefit from many of the advantages of traditional penetration tests while remaining in compliance with Microsoft’s requirements.
Built-in Azure Security Features
Security concerns are a top priority for all business customers. To meet this crucial demand, the developers of Azure have included many robust host services into the framework. Any data in transit is encrypted by Azure, and your data at rest can be protected by a variety of included tools. In addition, you have access to a suite of highly effective resources such as Web Application Firewall (WAF), Network Security Groups (NSG), Azure Security Center and Log Analytics with Threat Detection. Although these features are well-documented and highly effective, you still might want to take your own additional steps to assess whether attackers can breach them. If you perform an Azure penetration test, you can receive valuable reports that specify any existing vulnerabilities and recommend solutions.
Unified Rules of Engagement for Azure Penetration Testing
Microsoft has set forth a number of protocols that you must follow if you choose to conduct Azure penetration testing. The goal is to allow you to assess the security of the cloud-based services that Microsoft is hosting for you without negatively impacting any other customers running applications on the service. Should you encounter a computer security vulnerability, you must report it to Microsoft within 24 hours. As of June 15, 2017, you are no longer required to notify Microsoft that you will be performing an Azure penetration test. However, you are still prohibited from the following activities during your test:
- Scanning or testing assets belonging to others;
- Obtaining access to data that you do not own;
- Mounting a denial of service attack;
- Performing network intensive fuzzing toward any other machine besides your own Azure virtual machine;
- Conducting automated penetration testing that results in high traffic volume;
- Surpassing “proof of concept” repro steps;
- Violating Microsoft’s Acceptable Use Policy;
- Attempting social engineering attacks such as phishing against Microsoft employees.
While there are several prohibitions, many other activities are encouraged during the test:
- Using several small dummy accounts that you have created to assess cross-tenant data access;
- Port scan, fuzz and deploy other vulnerabilities scanning tools on your virtual machines;
- Conduct a load test on your application to see how it reacts to normal traffic and surges;
- Test your security monitoring tools;
- Try to break out of a shared azure service container. If you succeed, report it to Microsoft and cease the intrusion.
As long as you and your team keep these rules of engagement at the top of your mind as you run the penetration testing process, you will be able to glean a great deal of useful information without running afoul of Microsoft policies.
Protect Your Web Application and Cloud Assests Today
Safeguarding your proprietary content that lies within the Azure platform while remaining in compliance with Microsoft’s policies is both crucial and challenging. That is why many organizations choose to do their research and become a customer of a penetration testing firm.
Professionals with credentials in this constantly evolving field have expertise in the complex set of best practices and compliance requirements in the Azure ecosystem and can contribute this knowledge to your IT team throughout every step of the penetration test engagement. To open a dialogue with these testing professionals, all that is required is that you complete a simple online form. You will soon be contacted by a customer care representative who can provide you with an introduction to the available services and can help you to set up an account as well.