Just like any piece of internet-facing software out there, cloud services are targets of cyberattacks too. We have seen recent examples of the FabricScape and AutoWarp vulnerabilities present in Microsoft's Azure cloud. Now, the company has shared some more details about how it handles security processes and updates when it comes to cloud services.
In a blog titled "Anatomy of a Cloud-Service Security Update" by Microsoft Security Response Center's (MSRC) Corporate Vice President Aanchal Gupta, the executive has talked about the department's work in the cybersecurity space.
In terms of the identification of cloud vulnerabilities, Microsoft says that it has 8,500 security experts who provide around the clock coverage to secure Azure. The company also has a Cyber Defense Operations Center (CDOC) which combines security expertise across various departments to combat more sophisticated threats. It has red and blue teams which regularly test its defense mechanisms too, and in case of an issue, impacted customers are immediately notified and Microsoft experts help to secure their respective perimeters.
But this is not only an internal process, Microsoft also collaborates with partners and independent security researchers through its Bug Bounty Program. Last year, the firm awarded $13 million to researchers for discovering and privately reporting various bugs.
Coming over to mitigations of vulnerabilities, Microsoft has emphasized that the main advantage on this front is that security updates are deployed to customers as soon as they are ready. There is no Patch Tuesday process and customers typically don't have to take any action for fixes to be deployed. It has explained its security incident response process as follows:
- Detection: Issues are reported by internal security experts or by external partners, and our 24/7 security teams will respond accordingly and begin an assessment.
- Mitigation: Once an issue is assessed, our teams work around the clock to identify and test mitigations. This includes variant analysis and looking at root cause for opportunities to eliminate whole classes of issues rather than single vulnerabilities where possible. We also thoroughly test fixes to ensure compatibility and data integrity.
- Deploy: Once mitigation is ready and tested, we deploy in real-time to our cloud services. This is not tied to an Update Tuesday timeframe—these updates happen regularly as needed.
Work doesn't end after deploying fixes though, there is also a post-incident review to discuss how processes can be further improved and to get feedback from customers.
Microsoft tags cloud vulnerabilities with a CVE only when customer action is required, in line with the industry standard. The company usually recommends that required actions be taken as soon as possible. It claims that it builds customer trust by immediately notifying those impacted and giving them full transparency of the scope of the issue and the actions required in response, if any. This information is provided privately so Azure users are prepared for deployments ahead of a vulnerability becoming commonly known.
Although the Redmond tech giant works around the clock to harden its cloud defenses, it has recommended that people read its Microsoft Security Best Practices guide as well.