Microsoft Releases Windows Azure Security Resources

Microsoft provided more information about security for Windows Azure, publishing a talk and white paper.

The latest discussion comes from a recorded chat by Charlie Kaufman, Microsoft security architect for Windows Azure, which was published by Microsoft Thursday. Kaufman described the broad concepts that enable security for Windows Azure customers, although he conceded at one point that Windows Azure security is "secure enough for some applications and not secure enough for others."

Essentially, Windows Azure customers (or tenants) access virtual machines (VMs) that tap into Windows Azure's pooled resources in the Internet cloud. Access to the service is tied to the user's account and the account is established through a subscription portal. Customers gain access to the service through a Windows Live ID. Kaufman said that the "crypto behind Live ID is good."

Windows Azure has three basic components: compute, storage, and SQL Azure (which is another form of storage, Kaufman said). All three components run on separate hardware and communication is established via HTTP or SSL requests. A single key controls everything that can be done with storage. Although all of the data on Windows Azure is stored in a single pool, access is only enabled via a secret key for each account, Kaufman explained.

Windows Azure uses a different kind of file system as part of its multitenant architecture. Existing apps need to be modified to use different types of storage, principally blob storage, Kaufman said. The C:, D:, and E: drives that users see actually are virtual hard disks in the root operating system. Inputs and outputs go to the root OS and it makes sure that customers can only talk to their own disks. A network packet filter protects users from attacks from the outside, he added.

A few attacks are possible in Windows Azure. The customer administration interface could be used to launch attacks. However, Microsoft typically keeps watch by checking for any malformed requests.

A Windows Azure tenant could try to attack other tenants. However, Microsoft has architected Windows Azure so that the VMs of customers can't talk with the VMs of other customers. Such attacks would have to try to find a flaw in the hypervisor or in the drivers, Kaufman said.

An end user of Windows Azure could try an attack. In such cases, customers have all of the facilities of Windows to protect the VM against such attacks.

Customers have some security controls. They can determine how many role instances are needed. Each role instance creates a new C:, D: and E: drive structure and only one IP address is applied to a role instance. Customers can determine the size of each VM that runs application software. Customers also specify what certificates, passwords and secret keys each VM can use.

If that isn't enough information about how Windows Azure enables security, Kaufman coauthored a white paper, "Windows Azure Security Overview," released this month, that goes into greater detail. The white paper is written for developers and "technical decision makers."

Last month, Microsoft also released "Security Best Practices for Developing Windows Azure Applications." It describes Microsoft's Security Development Lifecycle, a process used internally by Microsoft to create its software products. It also describes specific Microsoft identity technologies used for Windows Azure security, including Active Directory Federation Services 2.0, the Azure App Fabric Access Control Service and Windows Identity Foundation.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • horizontal stack of U.S. dollar bills breaking in half

    ED Abruptly Cancels ESSER Funding Extensions

    The Department of Education has moved to close the door on COVID relief funding for schools, declaring that "extending deadlines for COVID-related grants, which are in fact taxpayer funds, years after the COVID pandemic ended is not consistent with the Department’s priorities and thus not a worthwhile exercise of its discretion."

  • illustration of a human head with a glowing neural network in the brain, connected to tech icons on a cool blue-gray background

    Meta Introduces Stand-Alone AI App

    Meta Platforms has launched a stand-alone artificial intelligence app built on its proprietary Llama 4 model, intensifying the competitive race in generative AI alongside OpenAI, Google, Anthropic, and xAI.

  • The AI Show

    Register for Free to Attend the World's Greatest Show for All Things AI in EDU

    The AI Show @ ASU+GSV, held April 5–7, 2025, at the San Diego Convention Center, is a free event designed to help educators, students, and parents navigate AI's role in education. Featuring hands-on workshops, AI-powered networking, live demos from 125+ EdTech exhibitors, and keynote speakers like Colin Kaepernick and Stevie Van Zandt, the event offers practical insights into AI-driven teaching, learning, and career opportunities. Attendees will gain actionable strategies to integrate AI into classrooms while exploring innovations that promote equity, accessibility, and student success.

  • robot waving

    Copilot Updates Aim to Personalize AI

    Microsoft has introduced a range of updates to its Copilot platform, marking a new phase in its effort to deliver what it calls a "true AI companion" that adapts to individual users' needs, preferences and routines.