Adopters of Australian Azure must remember security, governance obligations

Australian customers may be happy that Microsoft has finally turned on Australian presences for its Azure cloud service, but some are warning that planned cloud adopters need to be careful not to be over-reliant on the company's internal security measures.

While the new Australia East and Australia Southeast regions will address many organisations' concerns about data sovereignty and the performance of cloud services, Trend Micro director of strategic business and alliances Greg Boyle warned in a recent blog, Microsoft's heavy investment in back-end Azure security wouldn't prevent customers from being exposed in many of the same ways that they were with proprietary architectures unless they take prudent precautions.

“Microsoft delivers a secure infrastructure,” Boyle wrote, noting that the move to such cloud services necessarily entails adoption of a 'shared security model' in which “the security of the data and applications loaded onto the cloud is up to you.”

That burden required new thinking about often long-standing security models as workloads “step outside the traditional boundaries and security perimeter that has been the cornerstone of a good defence,” Boyle wrote.

“Anti-malware filtering via a gateway appliance, intrusion prevention and firewalling at the gateway are no longer the bastion preventing threats from attacking critical systems. With flexibility of workloads in the cloud, scaling up and scaling out can quickly introduce security gaps and overload traditional security choke points.”

Licensing was another issue that needed to be addressed: often-temporary virtual servers may consume a full year's license for security software unless system administrators are careful to ensure their licensing terms allow the flexibility to match.

Trend Micro, for its part, had met this requirement by offering by-the-hour billing for its Deep Security suite of cloud tools, which is deliverable as a Microsoft Azure extension. Rival Check Point Software Technologies has also taken to the cloud, announcing today that it has brought its Threat Prevention and Virtual Security Gateway to the Azure environment.

Data compliance was yet another key burden for organisations in the cloud, with customers needing to stay on top of PCI-DSS, IRAP, the Australian Privacy Principles and other relevant regulations. Microsoft had implemented some protections for its own platform but organisations requiring compliance needed to make sure they had built up the appropriate policies to manage and protect their data on top of whatever capabilities Microsoft had provided within Azure.

When done correctly, Boyle wrote, Azure security can deliver stronger results than previous environments: “security is often cited as one of the main concerns and inhibiting factors with cloud adoption,” he wrote. “However, we have seen many organisations achieve levels of security in the cloud higher than in their own infrastructure.”

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Join the CSO newsletter!

Error: Please check your email address.

Tags directors for CSO AustraliaAustralian Azuregovernance MicrosoftIRAPanti-malwarecloud adoptersEnex TestLabPCI-DSSmicrosoft azureAzure cloud servicetrend microsecuritydata sovereigntyGreg Boylefirewalling

More about Check Point Software TechnologiesCSOEnex TestLabGatewayMicrosoftPoint Software TechnologiesSoftware Technologies

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place