Security has always been at the heart of Azure. As we strive to deliver the latest security innovations to our customers, our team has improved the end-to-end experience from user workloads through the underlying infrastructure. With today’ security news and announcements, we’re sharing enhanced tools from Azure, from our partners, and Azure Stack Hub that enable you to improve your security posture.
Azure Security tools: Azure Sentinel and Azure Security Center
Azure Sentinel recently added support for workloads running on Azure Stack Hub. Azure Sentinel enables you to detect threats and respond smarter and faster though Azure powered artificial intelligence. To learn more about this integration, click here.
We’re also bringing our ongoing investment in cloud security with Azure Security Center to Azure Stack Hub. Azure Security Center is a unified infrastructure security management system that strengthens the security posture of your data centers and provides advanced threat protection (including server Endpoint Detection and Response - EDR) across your hybrid workloads. With Azure Security Center, you can receive actionable, prioritized security recommendations, powered by Azure Secure Score, in order to assess the security of your Windows and Linux VMs running on top of Azure Stack Hub and improve your compliance with regulatory standards. To learn more about this integration, click here.
How Partners are Adding Security Expertise to Azure Stack Hub
Many of our customers operate Azure Stack Hub in regulated or classified environments, where hardware protection and generation of keys and secrets are required. We recently announced our work with Thales to bring the CipherTrust Cloud Key Manager (CCKM) solution to the Azure Stack Hub marketplace. CCKM enables customers to upload, manage, and revoke keys to and from Azure Key Vaults running in either Azure Stack Hub or Azure, all from a single pane of glass. Thales CCKM works with Azure and Azure Stack Hub “Bring Your Own Key” (BYOK) APIs to enable such key control. CCKM creates Azure-compatible keys from a FIPS 140-2 source, like the Thales DSM that can achieve FIPS 140-2 Level 3 compliancy. CCKM supports both Azure Active Directory (AAD) and Active Directory Federation Services (ADFS) deployments, hence it can run in air-gapped or disconnected environments.
For customers interested in obtaining vulnerability reports and DISA STIG assessments of the Azure Stack Hub infrastructure, we’re happy to announce that Qualys has made them generally available from the Qualys portal. With each Azure Stack Hub update release, Microsoft will provide to Qualys a new vulnerability report generated with the Qualys Cloud Platform, enabling our customers to have the latest report available to meet their compliance requirements. Customers can also use Qualys Virtual Scanner Appliances, Qualys Cloud Agents or Qualys Container Sensors to assess their Azure Stack Hub workloads, including Kubernetes-based containers.
Splunk recently released a dashboard for the Azure Stack Hub infrastructure. The dashboard uses Azure Stack Hub domain-specific knowledge to enable Azure Stack Hub operators to closely monitor important security events, such as code integrity violations, privileged endpoint access or suspicious activity via Windows Defender. This will allow organizations to have greater visibility into their Azure Stack Hub environment and reduce time to remediate. The Microsoft Azure Stack App for Splunk and the Microsoft Azure Stack Add-on for Splunk are available for download on Splunkbase.
Infrastructure Updates Further Enhance Azure Stack Hub Security
At the Azure Stack Hub infrastructure level, with the 1910 release, Azure Stack Hub now uses 4096 bit RSA keys for the internal certificates, supports AES256 for data at rest encryption and Kerberos authentication, SHA384 for VPN encryption and it complies with the Committee on National Security Systems - Policy 15 (CNSSP-15) which provides best practices for the use of public encryption standards for secure information sharing.
Beginning with the 1908 release, Azure Stack Hub runs in FIPS mode and the data at rest encryption secrets are persisted in the Trusted Platform Module (TPM) 2.0 chips. The 1906 release brought the capability of Azure Stack Hub operators to enforce the Transport Layer Security (TLS) protocol version 1.2 on the external endpoints. This new capability helps Azure Stack Hub operators to secure their communications by using the more secure TLS 1.2 as the only TLS version allowed. In preparation for this new capability, we also validated TLS 1.2 for the virtual machines extensions in the Azure Stack Hub marketplace so that you can secure your end-to-end communications with Azure Stack Hub and the workloads running on top of it.
Starting with the 1906 release, we have been adding improvements to the internal secret rotation engine as we work through making it fully autonomous. We also added a safeguard to prevent the expiration of internal secrets by forcing internal secrets rotation in case a critical alert on expiring secrets is ignored.
As we continue to work on security features for Azure Stack Hub, let us know if there are first or third party features that you would like to see in Azure Stack Hub by leaving a comment below.