Always learning, always adapting: Unpacking Azure’s continuous cybersecurity evolution

In the first blog of our series on Azure Security, we discussed our approach to tackling cloud vulnerabilities. Our second blog highlighted our use of variant hunting to detect patterns and enhance security across our services. The third blog in the series introduced game-changing architecture to improve built-in security. In this installment, we share our integrated response strategy which provides a continuous learning model, leveraging big data, to improve response, detections, preventative controls, and governance to measure and improve effectiveness.

Read More: AZ-600: Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub

Azure Security’s “Integrated Response” is the function of incorporating security risk mitigation strategies into a durable security program, seamlessly coordinating across federated security functions to learn, share, and adapt effective strategies to address top risks and threats at hyper-scale. As new threats and security risks emerge from a variety of sources, we address them by evaluating root causes and developing security controls as a learning feedback system. Our learnings from proactive and reactive analysis turn into product updates and threat intelligence enhancements in our security products.

To maintain trust and accelerate response timelines, our closed-loop feedback cycle incorporates both internal and external risk drivers to improve each stage of our security response pipeline. Regularly reviewing security incidents is key to our ability to continuously improve our agility and response time to mitigate security risks for our customers. Each of our institutional processes, such as the Security LiveSite Review (SLR), Security Health Reviews (SHR), and our Security Operation Reviews (SOR) highlight and prioritize opportunities for improvement at all levels of Azure’s engineering organizations. Let’s dive into what each of these phases means and how they connect to each other.

Fostering a secure culture: A deeper look at Azure’s rigorous comprehensive protection and response 

In a Cloud-First world, our customers trust us with their data, intellectual property, and critical business applications. To meet these expectations, we take a holistic approach to govern security and create an Integrated Response which incorporates a feedback cycle of identifying risk drivers and ensuring we drive the appropriate security controls to properly protect, detect and respond to threats. In addition, we ensure all products meet our security standards, such as Microsoft Cloud Security benchmarks. Here are the components of our Integrated Response:

First response on new threats: Microsoft Security Response Center (MSRC) and Cyber Defense Operations—Operating with an “Assume Breach” mindset, we have honed our ability to quickly and effectively respond to security incidents and drive rapid security mitigation and improvements. We engage customers, industry partners, and Microsoft product teams alike to work in this continuous feedback loop. MSRC is an integrated part of the defender community operating on the front line of security response for our Azure customers and for other products within Microsoft.   For more than twenty years, MSRC has served to detect, respond, and recover from security vulnerabilities. Our decades of experience defending a wide range of technologies have shown us that continually learning and evolving, both inside and out, is essential to staying ahead of the ever-changing threat landscape.

Learn from every Security Incident: Security Live Site Reviews (SLR)—Following a security incident originating from MSRC or Red Team Operations, after the immediate remediation activity concludes, we prioritize conducting SLRs to drive 5-why analysis with product teams and executive leadership. Deeply focusing every single week from the Executive VP level down on deconstructing incidents down to their contributing root cause(s) drives Microsoft’s strategies on identifying process gaps, security control updates, and product improvements to improve Azure’s security posture. As discussed earlier in the series, throughout the investigation, we identify additional patterns beyond the specific incident to ensure we address beyond the symptom to the holistic solution. We track these repair items through all phases of our product and service development lifecycle including operations, engineering workflow, and security governance processes.

Ensure security culture and improve operational rigor: Security Operations Review (SOR)—To improve security for operational hygiene and foster a deep security culture, we conduct regular SOR. These reviews bring together executive leaders and product teams to share best practices and review behavioral trends, security control performance, and demonstrate a proven ability to maintain security SLAs as a proactive process.

Understand and reduce holistic security risk: Security Health and Risk Reviews (SHR)—Understanding the security risk of various requirements are an important element to maintaining a proper security-first mindset. We rationalize control performance and risk in the aggregate to conduct deep dives with product teams, creating a joint security-review conversation to learn and drive strategies to address emerging threats more broadly. The SHR provides a deep link to emerging risk by merging Azure Security perspectives with strategic product improvements to ensure we meet our customers’ needs now and into the future, providing confidence that we are investing in groundbreaking security innovation for tomorrow’s threats. 

Govern effectively and drive security standards: Azure Security Governance—Always following a growth mindset, we drive security governance at scale across more than six thousand unique products, driving security baseline compliance, ensuring our customers have the right security capabilities integrated into our products before release as documented in Microsoft Cloud Security Benchmark (MCSB), which helps customers ensure their service configurations of Azure and other clouds meet the security specification defined in frameworks such as the Center for Internet Security, the National Institute of Standards and Technology, and the Payment Card Industry. MCSB provides an efficient alignment approach for customers to leverage as controls are pre-mapped to these industry benchmarks.  

Internally, this governance function measures and provides insights and trends around behavioral and security control performance across our products, integrating new controls in SDL to stay relevant and mitigating emerging risks, while also empowering leaders with security optics to help them understand their security posture and drive security-first culture within their teams.  We track security key performance Indicators (KPIs), at scale, and prioritize controls effective at mitigating threats based on real-world findings from root cause analysis of malicious attacks, RED Team discovery, MSRC findings, and industry incidents. Many are broadly identified as the industry’s best practices and requirements of Microsoft Security Policy (SDL/OSA) as well as regulatory compliance standards. These security KPIs are measured with Microsoft security technologies which have expanded and matured over time.

Embracing continual learning: How Azure’s Integrated Response strategy innovates security for a changing world

Our Integrated Response strategy provides a holistic approach to incorporate risk drivers with security controls and ensure products meet Microsoft Cloud Security benchmarks, leveraging measurement at scale and governance to identify and mitigate risks end-to-end. Microsoft combines our strong internal security response program with a broad and diverse ecosystem of security partners to supply world-class protection for billions of customers and the broader market. We recognize that security is a culmination of product and process and that Defense-in-Depth is a layered approach to both. As such, we embrace feedback and iterate improvements by measuring for effect. Our decades of experience defending a wide range of technologies have shown us that continually learning and evolving, both inside and out, is essential to staying ahead of the ever-changing threat landscape. 

Source: microsoft.com

Continue reading

Microsoft Azure Security expands variant hunting capacity at a cloud tempo

In the first blog in this series, we discussed our extensive investments in securing Microsoft Azure, including more than 8500 security experts focused on securing our products and services, our industry-leading bug bounty program, our 20-year commitment to the Security Development Lifecycle (SDL), and our sponsorship of key Open-Source Software security initiatives. We also introduced some of the updates we are making in response to the changing threat landscape including improvements to our response processes, investments in Secure Multitenancy, and the expansion of our variant hunting efforts to include a global, dedicated team focused on Azure. In this blog, we’ll focus on variant hunting as part of our larger overall security program.

Variant hunting is an inductive learning technique, going from the specific to the general. Using newly discovered vulnerabilities as a jumping-off point, skilled security researchers look for additional and similar vulnerabilities, generalize the learnings into patterns, and then partner with engineering, governance, and policy teams to develop holistic and sustainable defenses. Variant hunting also looks at positive patterns, trying to learn from success as well as failure, but through the lens of real vulnerabilities and attacks, asking the question, “why did this attack fail here, when it succeeded there?”

In addition to detailed technical lessons, variant hunting also seeks to understand the frequency at which certain bugs occur, the contributing causes that permitted them to escape SDL controls, the architectural and design paradigms that mitigate or exacerbate them, and even the organizational dynamics and incentives that promote or inhibit them. It is popular to do root cause analysis, looking for the single thing that led to the vulnerability, but variant hunting seeks to find all of the contributing causes.

While rigorous compliance programs like the Microsoft SDL define an overarching scope and repeatable processes, variant hunting provides the agility to respond to changes in the environment more quickly. In the short term, variant hunting augments the SDL program by delivering proactive and reactive changes faster for cloud services, while in the long term, it provides a critical feedback loop necessary for continuous improvement. 

Leveraging lessons to identify anti-patterns and enhance security

Starting with lessons from internal security findings, red team operations, penetration tests, incidents, and external MSRC reports, the variant hunting team tries to extract the anti-patterns that can lead to vulnerabilities. In order to be actionable, anti-patterns must be scoped at a level of abstraction more specific than, for example, “validate your input” but less specific than “there’s a bug on line 57.” 

Having distilled an appropriate level of abstraction, variant hunting researchers look for instances of the anti-pattern and perform a deeper assessment of the service, called a “vertical” variant hunt. In parallel, the researcher investigates the anti-pattern’s prevalence across other products and services, conducting a “horizontal” variant hunt using a combination of static analysis tools, dynamic analysis tools, and skilled review.

Insights derived from vertical and horizontal variant hunting inform architecture and product updates needed to eliminate the anti-pattern broadly. Results include improvements to processes and procedures, changes to security tooling, architectural changes, and, ultimately, improvements to SDL standards where the lessons rapidly become part of the routine engineering system.

For example, one of the static analysis tools used in Azure is CodeQL. When a newly identified vulnerability does not have a corresponding query in CodeQL the variant hunting team works with other stakeholders to create one. New “specimens”—that is, custom-built code samples that purposely exhibit the vulnerability—are produced and incorporated into a durable test corpus to ensure learnings are preserved even when the immediate investigation has ended. These improvements provide a stronger security safety net, helping to identify security risks earlier in the process and reducing the re-introduction of known anti-patterns into our products and services.

Azure Security's layered approach to protecting against server-side threats

Earlier in this series, we highlighted security improvements in Azure Automation, Azure Data Factory, and Azure Open Management Infrastructure that arose from our variant hunting efforts. We would call those efforts “vertical” variant hunting.

Our work on Server-Side Request Forgery (SSRF) is an example of “horizontal” variant hunting. The impact and prevalence of SSRF bugs have been increasing across the industry for some time. In 2021 OWASP added SSRF to its top 10 list based on feedback from the Top 10 community survey—it was the top requested item to include. Around the same time, we launched a number of initiatives, including:

◉ Externally, Azure Security recognized the importance of identifying and hardening against SSRF vulnerabilities and ran the Azure SSRF Research Challenge in the fall of 2021.

◉ Internally, we ran a multi-team, multi-division effort to better address SSRF vulnerabilities using a layered approach.

◉ Findings from the Azure SSRF Research challenges were incorporated to create new detections using CodeQL rules to identify more SSRF bugs.

◉ Internal research drove investment in new libraries for parsing URLs to prevent SSRF bugs and new dynamic analysis tools to help validate suspected SSRF vulnerabilities.

◉ New training has been created to enhance prevention of SSRF vulnerabilities from the start.

◉ Targeted investments by product engineering and security research contributed to the creation of new Azure SDK libraries for Azure Key Vault that will help prevent SSRF vulnerabilities in applications that accept user-provided URIs for a customer-owned Azure Key Vault or Azure Managed HSM.

This investment in new technology to reduce the prevalence of SSRF vulnerabilities helps ensure the security of Azure applications for our customers. By identifying and addressing these vulnerabilities, we are able to provide a more secure platform for our customers on which to build and run their applications.

In summary, Azure has been a leader in the development and implementation of variant hunting as a method for identifying and addressing potential security threats. We have hired and deployed a global team focused exclusively on variant hunting, working closely with the rest of the security experts at Microsoft. This work has resulted in more than 800 distinct security improvements to Azure services since July 2022. We encourage security organizations all over the world to adopt or expand variant hunting as part of your continuous learning efforts to further improve security.

Source: microsoft.com

Continue reading

Automate your attack response with Azure DDoS Protection solution for Microsoft Sentinel

DDoS attacks are most known for their ability to take down applications and websites by overwhelming servers and infrastructure with large amounts of traffic. However, there are additional objectives for cybercriminals to use DDoS attacks to exfiltrate data, extort, act politically, or ideologically. One of the most devastating features of DDoS attacks is their unique ability to disrupt and create chaos in targeted organizations or systems. This plays well for bad actors that leverage DDoS as smokescreen for more sophisticated attacks, such as data theft. This demonstrates the increasingly sophisticated tactics cybercriminals use to intertwine multiple attack vectors to achieve their goals.

Azure offers several network security products that help organizations protect their applications: Azure DDoS Protection, Azure Firewall, and Azure Web Application Firewall (WAF). Customers deploy and configure each of these services separately to enhance the security posture of their protected environment and application in Azure. Each product has a unique set of capabilities to address specific attack vectors, but the most benefit speaks to the power of relationship—when combined these three products provide more comprehensive protection. Indeed, to combat modern attack campaigns one should use a suite of products and correlate security signals from one to another, to be able to detect and block multi-vector attacks.

We are announcing a new Azure DDoS Protection Solution for Microsoft Sentinel. It allows customers to identify bad actors from Azure’s DDoS security signals and block possible new attack vectors in other security products, such as Azure Firewall.

Using Microsoft Sentinel as the glue for attack remediation

Each of Azure’s network security services is fully integrated with Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution. However, the real power of Sentinel is in collecting security signals from these separate security services and analyzing them to create a centralized view of the attack landscape. Sentinel correlates events and creates incidents when anomalies are detected. It then automates the response to mitigate sophisticated attacks.

In our example case, when cybercriminals use DDoS attacks as smokescreen to data theft, Sentinel detects the DDoS attack, and uses the information it gathers on attack sources to prevent the next phases of the adversary lifecycle. By using remediation capabilities in Azure Firewall and other network security services in the future, the attacking DDoS sources are blocked. This cross-product detection and remediation magnifies the security posture of the organization, where Sentinel is the orchestrator.

Automated detection and remediation of sophisticated attacks

Our new Azure DDoS Protection Solution for Sentinel provides a single consumable solution package that allows customers to achieve this level of automated detection and remediation. The solution includes the following components:

1. Azure DDoS Protection data connector and workbook.

2. Alert rules that help retrieve the source DDoS attackers. These are new rules we created specifically for this solution. These rules may be utilized by customers to achieve other objectives for their security strategy.

3. A Remediation IP Playbook that automatically creates remediation in Azure Firewall to block the source DDoS attackers. Although we document and demonstrate how to use Azure Firewall for remediation, any 3rd party firewall that has a Sentinel Playbook can be used for remediation. This provides the flexibility for customers to use this new DDoS solution with any firewall.

The solution is initially released for Azure Firewall (or any third-party firewall), and we plan to enhance it to support Azure WAF soon.

Let’s see a couple of use cases for this cross-product attack remediation.

Use case #1: remediation with Azure Firewall

Let’s consider an organization that use Azure DDoS Protection and Azure Firewall, and consider the attack scenario in the following figure:

An adversary controls a compromised bot. They starts with a DDoS smokescreen attack, targeting the resources in the virtual network for that organization. They then plan to access the network resources by scanning and phishing attempts until they’re able to gain access to sensitive data.

Azure DDoS Protection detects the smokescreen attack and mitigates this volumetric network flood. In parallel it starts sending log signals to Sentinel. Next, Sentinel retrieves the attacking IP addresses from the logs, and deploys remediation rules in Azure Firewall. These rules will prevent any non-DDoS attack from reaching the resources in the virtual network, even after the DDoS attacks ends, and DDoS mitigation ceases.

Use case #2: remediation with Azure WAF (coming soon)

Now, let’s consider another organization who runs a web application in Azure. It uses Azure DDoS Protection and Azure WAF to protect its web application. The adversary objective in this case is to attack the web application and exfiltrate sensitive data by starting with a DDoS smokescreen attack, and then launch web attacks on the application.

When Azure DDoS Protection service detects the volumetric smokescreen attack, it starts mitigating it, and signals logs to Sentinel. Sentinel retrieves the attack sources and applies remediation in Azure WAF to block future web attacks on the application.

Get started with Azure DDoS protection today

As attackers employ advanced multi-vector attack techniques during the adversary lifecycle, it’s important to harness security services as much as possible to automatically orchestrate attack detection and mitigation.

For this reason, we created the new Azure DDoS Protection solution for Microsoft Sentinel that helps organizations to protect their resources and applications better against these advanced attacks. We will continue to enhance this solution and add more security services and use cases.

Source: microsoft.com

Continue reading

Azure Firewall Basic now in preview

Organizations are experiencing an increase in both the volume and sophistication of cyberattacks with the acceleration of digital transformation and the increase in hybrid work. While organizations of all sizes face similar security risks, cybersecurity is rapidly becoming a top concern for small and medium businesses (SMBs) with the shift to remote work and new digital business models. SMBs are particularly vulnerable as they are faced with budget constraints and gaps in specialized security skills. In a recent research study, over 60 percent of small businesses experienced a cyberattack and were left unable to operate.

Microsoft is constantly innovating to help secure customers’ digital assets in an evolving threatened landscape and help SMB customers with their cloud adoption journey. Today, we are excited to announce the preview of Azure Firewall Basic.

Azure Firewall Basic is a new SKU of Azure Firewall designed to meet the needs of SMBs by providing enterprise-grade protection of their cloud environment at an affordable price point. It is a cloud-native, highly available, stateful firewall as a service offering that enables customers to centrally govern and log all of their traffic flows with essential capabilities at scale.

Cost-effective, enterprise-grade security built for SMBs

Azure Firewall Basic includes Layer 3–Layer 7 filtering and alerts on malicious traffic with built-in threat intelligence from Microsoft Threat Intelligence. With tight integration with other Azure services, such as Azure Monitor, Azure Events Hub, Microsoft Sentinel, and Microsoft Defender for Cloud, you can gain more visibility into your environment and identify and respond to threats quicker.

Key features of Azure Firewall Basic

Comprehensive, cloud-native network firewall security.

◉ Network and application traffic filtering.

◉ Threat intelligence to alert on malicious traffic.

◉ Built-in high availability.

◉ Seamless integration with other Azure services.

Simple setup and easy to use.

◉ Set up in just a few minutes.

◉ Automate deployment (deploy as code).

◉ Zero maintenance with automatic updates.

◉ Central management via Azure Firewall Manager.

Cost-effective.

◉ Designed to deliver essential, cost-effective Firewall protection for your resources within your virtual network.

Choosing the right Azure Firewall SKU to meet your needs

Azure Firewall now supports three different SKUs to cater to a wide range of customer use cases and preferences.

◉ Azure Firewall Premium is recommended to secure highly sensitive applications (such as payment processing). It supports advanced threat protection capabilities like malware and TLS inspection.

◉ Azure Firewall Standard is recommended for customers looking for Layer 3–Layer 7 firewall and needs auto-scaling to handle peak traffic periods of up to 30 Gbps. It supports enterprise features like threat intelligence, DNS proxy, custom DNS, and web categories.

◉ Azure Firewall Basic is recommended for SMB customers with throughput needs of less than 250 Mbps.

Let’s take a closer look at the features across the three Azure Firewall SKUs.

Azure Firewall Basic pricing

Similar to the Standard and Premium SKUs, Azure Firewall Basic pricing includes both deployment and data processing charges.

Source: microsoft.com

Continue reading

Customize your secure VM session experience with native client support on Azure Bastion

As organizations move their mission-critical workloads to the cloud, connecting to virtual machines (VMs) directly over the public internet is becoming more of a security risk. The more public IP addresses a customer has attached to VMs in their virtual network, the larger their attack surface becomes and the more vulnerable they are to security threats. The more secure alternative is to deploy a managed jumpbox service that reduces the number of public entry points to a customer’s resources in the cloud. The ideal managed jumpbox service should prioritize both security and flexibility to choose how you connect to your resources. Azure Bastion, Azure’s managed jumpbox service, now provides customers with the ability to customize their connection experience to use a native client of their choice.

Azure Bastion overview

Azure Bastion is a fully managed jumpbox-as-a-service that provides secure and seamless Remote Desktop Protocol (RDP) and Secure Shell Protocol (SSH) access to your VMs in local or peered virtual networks. Azure Bastion provides connectivity directly from the Azure portal using Transport Layer Security (TLS). With Azure Bastion, your VMs do not need a public IP address, protecting your virtual machines from exposing RDP and SSH ports to threats on the public internet, while still providing secure access using RDP and SSH. With native client support available on the Standard SKU for Azure Bastion, you now unlock customizable features and added functionality in your VM sessions.

More flexibility to choose how you connect to your VMs

The primary way to connect to your VMs using Azure Bastion is through a quick and simple experience in the Azure portal. Users and administrators can navigate to their Azure VM in the portal and then open a web-based VM session using Azure Bastion. This experience eliminates the need to download any clients, agents, or configure files prior to accessing the VM.

Some customers value integration with existing and familiar processes. With the support for native clients on Azure Bastion, these customers can use command-line based access and a native client of their choice to reach their target VMs. This allows them to use Azure Bastion with a more accessible or familiar user interface, and to integrate connectivity to VMs via the service into their existing scripts.

Native client support offers three Azure CLI commands: az network bastion rdp, az network bastion ssh, and az network bastion tunnel. The az network bastion rdp command and az network bastion ssh enable connectivity to the target VM directly and use the clients mstsc and az ssh respectively. Meanwhile, the az network bastion tunnel command allows more flexibility by establishing a tunnel to the target VM on a specific port, and then allowing the user to connect to the VM using a custom client and the specified port.

Customers now can choose how they connect to their VMs via Azure Bastion—a simple, quick web-based experience or an integrated and customizable experience using a native client.

Simplify your login experience with Azure AD-based authentication

Azure Bastion native client support also unlocks an additional authentication option for users. With the az network bastion rdp and az network bastion ssh commands, users can use their Azure Active Directory (Azure AD) account to access their VMs. Using Azure AD for authentication provides enhanced identity security in conjunction with Azure Bastion’s existing networking security by eliminating the need to manage local VM credentials. For SSH, the Azure AD authentication also simplifies the connect experience by using the credentials the user has already provided to log into Azure CLI and taking them directly to their VM session.

File upload and download to a VM using a native client

Azure Bastion now supports file transfer between your target VM and local computer using Azure Bastion and a native RDP or SSH client. To both upload and download files, users must use the Windows native client on a Windows machine and the az network bastion rdp command. With RDP, users can easily transfer files between their target VM and local Windows machine in just a few clicks. For customers using non-Windows native clients or SSH, the az network bastion tunnel command supports file upload from your local computer to target VM. Third-party clients may also support file download for these scenarios.

Source: microsoft.com

Continue reading

Announcing new investments to help accelerate your move to Azure

As businesses adapt to new ways of operating, IT leaders are presented with increasing challenges to achieving sustainable growth. Ensuring your business continues to run without interruptions while adapting and transforming can be paramount. If your company is looking for options to migrate your server estate to the cloud, we have news for you.

Outstanding offers

Extended Security Updates and Azure Migration and Modernization Program support to larger migration projects.

Microsoft has great offers for Windows Server and SQL Server customers looking to move to the cloud. Azure offers free Extended Security Updates for SQL Server 2012 and Windows Server 2012/2012 R2, giving you more time to modernize supported applications for three additional years beyond the 10 years granted by Microsoft Support. Microsoft also allows customers to save significantly when running their workloads in Azure Virtual Machines with Azure Hybrid Benefit, which combined with reserved instances can enable up to 85 percent savings when compared to other cloud services.

To help support your migration and modernization to the cloud, mitigating potential unforeseen risks and costs, Microsoft is expanding the Azure Migration and Modernization Program (AMMP). In the past years, AMMP has helped thousands of customers like Jotun unlock the value of the cloud, bringing together the right mix of resources and best practices at every stage of their journey. We’re now investing significantly more to support your largest Windows/SQL Server migration and modernization projects—up to 2.5 times larger based on project eligibility. This investment will help with your migration in two ways: partner assistance with planning and moving your workloads, and Azure credits that offset transition costs during your move to Azure SQL Managed Instance and Azure SQL Database.

Unparalleled innovation

Unlock your SQL Server and Windows Server’s greatest potential in Azure, with unique capabilities and more options for true hybrid cloud flexibility. With Microsoft you can choose the option that aligns best to your business needs, migrating and modernizing servers with solutions like Windows Server and SQL Server running in virtual machines (VMs), Azure SQL managed databases, and hybrid management through Azure Arc.

When you have your VMs in Azure, management becomes simplified with dedicated solutions such as Azure Automanage and Windows Admin Center in the Azure portal. Azure SQL allows you to spend more time innovating and less time patching, updating, and backing up your databases, as Azure is the only cloud with evergreen SQL that automatically applies the latest updates and patches so that your databases are always up to date, eliminating end-of-support hassles. Azure SQL also features built-in AI that automatically tunes databases ensuring peak performance for every database, delivering leading price-performance.

Unmatched security

Security is foundational for Azure. If your company is running SQL Server 2012 and Windows Server 2012/2012 R2, this is the time to consider assessing those environments as they reach the end of support on July 12, 2022 and October 10, 2023 respectively. Not having support means the end of security updates, which may leave your business exposed to security risks and compliance concerns. Azure offers three years of extended security updates.

Multilayered security is provided across physical datacenters, infrastructure, and operations with cyber security experts actively monitoring to protect your Windows Server and SQL Server, including in hybrid deployments with Azure Arc. Microsoft has more than 3,500 cybersecurity professionals and spends $1 billion annually on security to help protect, detect, and respond to threats, so you can grow a safe and secure business. The Azure platform is a leader in compliance coverage with 90 plus compliance offers that allow you to proactively safeguard your data and streamline compliance. Our commitment to privacy is uncompromising. Our core privacy principle is, you own your data. We will never use it for marketing or advertising purposes, in turn providing you confidence around data storage and security. 

Source: microsoft.com

Continue reading

Meet PCI compliance with credit card tokenization

In building and running a business, the safety and security of your and your customers' sensitive information and data is a top priority, especially when storing financial information and processing payments are concerned. The Payment Card Industry Data Security Standard (PCI DSS) defines a set of regulations put forth by the largest credit card companies to help reduce costly consumer and bank data breaches.

In this context, PCI compliance refers to meeting the PCI DSS’ requirements for organizations and sellers to help safely and securely accept, store, process, and transmit cardholder data during credit card transactions, to prevent fraud and theft.

Towards confidential computing

In June 2021, the Monetary Authority of Singapore (MAS) issued an advisory circular on addressing the technology and cyber security risks associated with public cloud adoption. The paper describes a set of risk management principles and best practice standards to guide financial institutions in implementing appropriate data security measures to help protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration data-at-rest, data-in-motion, and data-in-use where applicable. Specifically, at section 21, reported below, for data that is being used or processed in the public cloud, financial institutes (FIs) may implement confidential computing solutions if available from the cloud service provider. Confidential computing solutions protect data by isolating sensitive data in a protected, hardware-based computing enclave.

Data security and cryptographic key management

FIs should implement appropriate data security measures to protect the confidentiality and integrity of sensitive data in the public cloud, taking into consideration data-at-rest, data-in-motion and data-in-use where applicable.

◉ For data-at-rest, that is, data in cloud storage, FIs may implement additional measures e.g. data object encryption, file encryption or tokenization in addition to the encryption provided at the platform level.

◉ For data-in-motion, that is, data that traverses to and from, and within the public cloud, FIs may implement session encryption or data object encryption in addition to the encryption provided at the platform level.

◉ For data-in-use, that is, data that is being used or processed in the public cloud, FIs may implement confidential computing solutions if available from the CSPs. Confidential computing solutions protect data by isolating sensitive data in a protected, hardware-based computing enclave during processing.

Confidential virtual machines

On these premises, FIs can leverage Azure confidential computing for building an end-to-end data and code protection solution on the latest technology for hardware-based memory encryption. The solution presented in this article for processing credit card payments makes use of confidential virtual machines (CVMs) running on AMD Secure Encrypted Virtualization (SEV)—Secure Nested Paging (SNP) technology.

AMD introduced SEV to isolate virtual machines from the hypervisor. Hypervisors are typically considered trusted components in the virtualization security model, and many customers have requested a VM trust model which reduces the exposure to vulnerabilities in the infrastructure. With SEV, individual VMs are assigned a unique encryption key wired in the CPU, used for automatically encrypting the memory allocated by the hypervisor to run a VM.

The latest generation of SEV technology includes SNP capability. SNP adds new hardware-based security by providing strong memory integrity protection from potential attacks to the hypervisor, including data replay and memory re-mapping.

Azure confidential computing offers confidential VMs based on AMD processors with SEV-SNP technology. Confidential VMs are for tenants with high security and confidentiality requirements. You can use confidential VMs for migrations without making changes to your code, with the platform help protect your VM’s state from being read or modified. Benefits of confidential VMs include:

◉ Robust hardware-based isolation between virtual machines, hypervisor, and host management code.

◉ Attestation policies to ensure the host’s compliance before deployment.

◉ Cloud-based full-disk encryption before the first boot.

◉ VM encryption keys that the platform or the customer (optionally) owns and manages.

◉ Secure key release with cryptographic binding between the platform’s successful attestation and the VM’s encryption keys.

◉ Dedicated virtual Trusted Platform Module (TPM) instance for attestation and protection of keys and secrets in the virtual machine.

The provisioning of a confidential VM in Azure is as simple as any other regular virtual machine, using your preferred tool, either manually via the Azure Portal, or by scripting with Azure command-line interface (CLI). Figure 2 shows the process of creating a virtual machine in the Azure Portal, with specific attention to the “Security type” attribute. For provisioning a confidential VM based on AMD SEV-SNP technology, you have to select that specific entry in the dropdown list. At the time of writing (March 2022), confidential VMs are in preview in Azure, and thus limited in availability across regions. As this service enters general availability, more regions will be available for deployment.

Figure 1: Confidential Virtual Machine in Azure Portal.

Credit card tokenization

In the scenario above in Figure 2, the process of tokenization is a random oracle, which is a process that, given an input, generates a non-predictable output. The random output always varies even if the same input is provided. For example, when a customer makes a second payment using the same credit card used in a previous transaction, the token generated will be different. Lastly, when providing that random output back to the service, the tokenization interface fetches the original input.

Not by coincidence that I used the term “interface” for describing this tokenization service. Indeed, the technical implementation of such random generator is a Web API running in the .NET 6 runtime. Figure 3 describes the reference architecture for the solution.

Figure 2: Credit card tokenization architecture reference.

1. A payment transaction is initiated by the customer and payment data is transferred to the .NET Web API. This API is running on a confidential VM.

2. The random token is generated by the API based on the input data. Tokenization includes also encryption of such data, with a symmetric cryptographic algorithm (AES specifically).

3. The encryption key is stored in Azure Key Vault running on a managed Hardware Secure Module (HSM). This is a critical component of the confidential solution, as the encryption key is preserved inside the HSM. The HSM helps protecting keys from the cloud provider or any other rogue administrator. Only the Web API app is authorized to access the secret key.

The following code snippets show the implementation of the key retrieval from AKV inside the Get method of the Web API.

[HttpGet(Name = "GetToken")]

public async Task<TokenTuple> Get(CreditCard card)

{

        // Retrieve the AES encryption key from AKV

        string akvName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");

        var akvUri = $"https://{akvName}.vault.azure.net";

        var akvClient = new SecretClient(new Uri(akvUri), new Azure.Identity.DefaultAzureCredential());

        var secret = await akvClient.GetSecretAsync("AesEncryptionKey");

        EncryptionKey key = JsonSerializer.Deserialize<EncryptionKey>(secret.Value.Value);

Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs.

The service is highly available and zone resilient (where availability zones are supported): Each HSM cluster consists of multiple HSM partitions that span across at least two availability zones. If the hardware fails, member partitions for your HSM cluster will be automatically migrated to healthy nodes.

Each Managed HSM instance is dedicated to a single customer and consists of a cluster of multiple HSM partitions. Each HSM cluster uses a separate customer-specific security domain that cryptographically isolates each customer's HSM cluster.

The HSM is FIPS 140-2 Level 3 validated, which means that it meets compliance requirements with Federal Information Protection Standard 140-2 Level 3.

AKV Managed Hardware Security Module (MHSM) also assists with data residency as it doesn't store and process customer data outside the region the customer deploys the HSM instance in.

Lastly, with AKV MHSM, customers can generate HSM-protected keys in their own on-premises HSM and import them securely into Azure.

4. The obtained encryption key is then used to encrypt the payment data with a symmetric cipher. The encrypted value is associated with a newly generated token and added as a message to the queue. In the code snippet below, the pair token and encrypted data is stored in a tuple object and then enqueued.

// Encrypt the credit card information

string json = JsonSerializer.Serialize(card);

string encrypted = SymmetricCipher.EncryptToString(json, key);

// Generate token

Token token = Token.CreateNew();

// Add the token tuple to the queue

TokenTuple tuple = new (token, encrypted);

QueueManager.Instance.Enqueue(tuple);

5. The generated token is added to an in-memory queue. There is no persistence of data in the solution. The token expires after a configurable amount of time, typically a few seconds, that allows the payment gateway to process the payment information from the queue. The combination of running this solution on a confidential infrastructure, as well as the volatility of data in the queue, helps customers make their system PCI compliant: no sensitive payment data is stored and processed in clear text.

6. The queue mechanism can be implemented with any highly reliable queue engine, such as RabbitMQ. By running in a confidential VM, confidentiality of data in the queue is retained also during in-memory processing utilizing a third-party application such as RabbitMQ or similar with no code changes.

7. The payment gateway implements the Publish-Subscribe pattern (Pub-Sub) for retrieving messages from the queue, using a webhook for registering the endpoint to invoke and de-queue a message.

[HttpGet(Name = "ResolveToken")]

        public async Task Post(string subscriberUri)

        {

            TokenTuple tuple = QueueManager.Instance.Dequeue();

            await HttpClientFactory.PostAsync(subscriberUri, tuple);

        }

Source: microsoft.com

Continue reading

Secure your APIs with Private Link support for Azure API Management

Azure API Management is a fully managed service that enables customers to publish, secure, transform, maintain, and monitor APIs. With a few clicks in the Azure portal, you can create an API facade that acts as a “front door” through which external and internal applications can access data or business logic implemented by your custom-built backend services, running on Azure, for example on Azure App Service or Azure Kubernetes Service, or hosted outside of Azure, in a private datacenter or on-premises. Azure API Management handles all the tasks involved in mediating API calls, including request authentication and authorization, rate limit and quota enforcement, request and response transformation, logging and tracing, and API version management.

Azure API Management helps you in:

◉ Unlocking legacy assets—APIs are used to abstract and modernize legacy backends and make them accessible from new cloud services and modern applications. APIs allow innovation without the risk, cost, and delays of migration.

◉ Create API-centric app integration—APIs are easily consumable, standards-based, and self-describing mechanisms for exposing and accessing data, applications, and processes. They simplify and reduce the cost of app integration.

◉ Enable multi-channel user experiences—APIs are frequently used to enable user experiences such as web, mobile, wearable, or Internet of Things (IoT applications. Reuse APIs to accelerate development and return on investment (ROI).

◉ Business-to-business (B2B) integration—APIs exposed to partners and customers lower the barrier to integrate business processes and exchange data between business entities. APIs eliminate the overhead inherent in point-to-point integration. Especially with self-service discovery and onboarding enabled, APIs are the primary tools for scaling B2B integration.

We are happy to announce the preview of Azure Private Link support for Azure API Management service. If you are not familiar with Azure API Management, when you deploy this service, you get three main components: Azure portal, gateway, and management plane. With Azure Private Link we can create a private endpoint for the gateway component, which will be exposed through a private IP within your virtual network. This will allow inbound traffic coming to the private IP to reach Azure API Management gateway.

Azure Private Link

With Azure Private Link, communications between your virtual network and the Azure API Management gateway travel over the Microsoft backbone network privately and securely, eliminating the need to expose the service to public internet.

Key benefits of Azure Private Link

Through this functionality we will provide the same consistent experience found in other PaaS services with private endpoints:

◉ Private access from Azure Virtual Network resources, peered networks, and on-premises networks.

◉ Built-in data exfiltration protection for Azure resources.

◉ Predictable private IP addresses for PaaS resources.

◉ Consistent and unified experience across PaaS services.

Private endpoints and public endpoints

Figure 1: Architecture diagram depicting the secure and private connectivity to Azure API Management Gateway—when using Azure Private Link.

Azure Private Link provides private endpoints to be available through private IPs. In the above case, the contoso.azure-api.net gateway has a private IP of 10.0.0.6 which is only available to resources in contoso-apim-eastus-vnet. This allows the resources in this virtual network to securely communicate. The other resources may be restricted to resources only within the virtual network.

At the same time, the public endpoint for the contoso.azure-api.net gateway may still be public for the development team. In this release, Azure Private Link will support disabling the public endpoint, limiting access to only private endpoints, configured under Private Link.

How to decide which networking model to use with Azure API Management?

Azure API Management also supports virtual network injection, allowing all components to be deployed inside a virtual network. With the addition of private endpoints, we have the following options for integrating inside a custom Azure Virtual Network:

Network model	Supported tiers	Supported components	Supported traffic
Virtual network—external	Developer and Premium.	Azure portal, gateway, management plane, and Git repository.	Inbound and outbound traffic can be allowed to internet, peered virtual networks, Express Route, and VPN S2S connections.
Virtual network—internal	Developer and Premium.	Developer portal, Gateway, Management Plane, and Git repository.	Inbound and outbound traffic can be allowed to peered virtual networks, Express Route, and VPN S2S connections.
Private endpoint connection (preview)	Developer, Basic, Standard, and Premium.	Gateway only (managed gateway supported, self-hosted gateway not supported).	Only inbound traffic can be allowed to internet, peered virtual networks, Express Route, and VPN S2S connections.

At this moment, these three options are mutually exclusive, you cannot choose a virtual network integration option (external or internal) in combination with private endpoint connections. Also notice that only our managed gateways will support private endpoint connections, the Self-Hosted Gateway does not support private endpoints in Azure.

Preview limitations

During the preview period, we will only support inbound traffic coming to the gateway, instances using STV2 compute platform, all pricing tiers except consumption, and Azure Private Link is limited to instances that are not using virtual network injection (internal or external). The feature will move to general availability as we assess feedback.

With the preview of Azure Private Link for Azure API Management, you are now empowered to bring your Azure API Management instances to a virtual network using the same consistent experience of other Azure PaaS services. You can create and manage private endpoints for the gateway of your Azure API Management instance. We will be sharing more updates and content in the future, so stay tuned for new updates towards the general availability of this feature.

Source: microsoft.com

Continue reading

Microsoft DDoS protection response guide

Receiving Distributed Denial of Service (DDoS) attack threats?

DDoS threats have seen a significant rise in frequency lately, and Microsoft stopped numerous large-scale DDoS attacks last year. This guide provides an overview of what Microsoft provides at the platform level, information on recent mitigations, and best practices.

Microsoft DDoS platform

⇒ Microsoft provides robust protection against layer three (L3) and layer four (L4) DDoS attacks, which include TCP SYN, new connections, and UDP/ICMP/TCP floods.

⇒ Microsoft DDoS Protection utilizes Azure’s global deployment scale, is distributed in nature, and offers 60Tbps of global attack mitigation capacity.

⇒ All Microsoft services (including Microsoft365, Azure, and Xbox) are protected by platform level DDoS protection. Microsoft's cloud services are intentionally built to support high loads, which help to protect against application-level DDoS attacks.

⇒ All Azure public endpoint VIPs (Virtual IP Address) are guarded at platform safe thresholds. The protection extends to traffic flows inbound from the internet, outbound to the internet, and from region to region.

⇒ Microsoft uses standard detection and mitigation techniques such as SYN cookies, rate limiting, and connection limits to protect against DDoS attacks. To support automated protections, a cross-workload DDoS incident response team identifies the roles and responsibilities across teams, the criteria for escalations, and the protocols for incident handling across affected teams.

⇒ Microsoft also takes a proactive approach to DDoS defense. Botnets are a common source of command and control for conducting DDoS attacks to amplify attacks and maintain anonymity. The Microsoft Digital Crimes Unit (DCU) focuses on identifying, investigating, and disrupting malware distribution and communications infrastructure to reduce the scale and impact of botnets.

Recent incidents

At Microsoft, despite the evolving challenges in the cyber landscape, the Azure DDoS Protection team was able to successfully mitigate some of the largest DDoS attacks ever, both in Azure and in the course of history.

⇒ Last October 2021, Microsoft reported on a 2.4 terabit per second (Tbps) DDoS attack in Azure that we successfully mitigated. Since then, we have mitigated three larger attacks.

⇒ In November 2021, Microsoft mitigated a DDoS attack with a throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), targeting an Azure customer in Asia. As of February 2022, this is believed to be the largest attack ever reported in history. It was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan.

Protect your applications in Azure against DDoS attacks in three steps:

Customers can protect their Azure workloads by onboarding to Azure DDoS Protection Standard. For web workloads it is recommended to use web application firewall in conjunction with DDoS Protection Standard for extensive L3-L7 protection.

1. Evaluate risks for your Azure applications. This is the time to understand the scope of your risk from a DDoS attack if you haven’t done so already.

     a. If there are virtual networks with applications exposed over the public internet, we strongly recommend enabling DDoS Protection on those virtual networks. Resources in a virtual network that requires protection against DDoS attacks are Azure Application Gateway and Azure Web Application Firewall (WAF), Azure Load Balancer, virtual machines, Bastion, Kubernetes, and Azure Firewall. Review “DDoS Protection reference architectures” to get more details on reference architectures to protect resources in virtual networks against DDoS attacks.

2. Validate your assumptions. Planning and preparation are crucial to understanding how a system will perform during a DDoS attack. You should be proactive to defend against DDoS attacks and not wait for an attack to happen and then act.

     a. It is essential that you understand the normal behavior of an application and prepare to act if the application is not behaving as expected during a DDoS attack. Have monitors configured for your business-critical applications that mimic client behavior and notify you when relevant anomalies are detected.

     b. Azure Application Insights is an extensible application performance management (APM) service for web developers on multiple platforms. Use Application Insights to monitor your live web application. It automatically detects performance anomalies. It includes analytics tools to help you diagnose issues and to understand what users do with your app. It's designed to help you continuously improve performance and usability.

     c. Finally, test your assumptions about how your services will respond to an attack by generating traffic against your applications to simulate DDoS attack. Don’t wait for an actual attack to happen! We have partnered with Ixia, a Keysight company, to provide a self-service traffic generator (BreakingPoint Cloud) that allows Azure DDoS Protection customers to simulate DDoS test traffic against their Azure public endpoints.

3. Configure alerts and attack analytics. Azure DDoS Protection identifies and mitigates DDoS attacks without any user intervention.

     a. To get notified when there’s an active mitigation for a protected public IP, we recommend configuring an alert on the metric under DDoS attack or not. DDoS attack mitigation alerts are automatically sent to Microsoft Defender for Cloud.

     b. You should also configure attack analytics to understand the scale of the attack, traffic being dropped, and other details.

Best practices to be followed

◉ Provision enough service capacity and enable auto-scaling to absorb the initial burst of a DDoS attack.

◉ Reduce attack surfaces; reevaluate the public endpoints and decide whether they need to be publicly accessible.

◉ If applicable, configure Network Security Group to further lock-down surfaces.

◉ If IIS (Internet Information Services) is used, leverage IIS Dynamic IP Address Restrictions to control traffic from malicious IPs.

◉ Setup monitoring and alerting if you have not done so already.

Some of the counters to monitor:

   ◉ TCP connection established

   ◉ Web current connections

   ◉ Web connection attempts

◉ Optionally, use third-party security offerings, such as web application firewalls or inline virtual appliances, from the Azure Marketplace for additional L7 protection that is not covered via Azure DDoS Protection and Azure WAF (Azure Web Application Firewall).

When to contact Microsoft support

◉ During a DDoS attack if you find that the performance of the protected resource is severely degraded, or the resource is not available. Review step two above on configuring monitors to detect resource availability and performance issues.

◉ You think your resource is under DDoS attack, but DDoS Protection service is not mitigating the attack effectively.

◉ You're planning a viral event that will significantly increase your network traffic.

For attacks that have a critical business impact, create a severity-A support ticket to engage DDoS Rapid Response team.

Source: microsoft.com

Continue reading

Announcing the public preview of Microsoft Azure Payment HSM service

The growing trend for running payment workloads in the cloud

Momentum is building as financial institutions move some or all their payment applications to the cloud. This entails a migration from the legacy on-premises applications and hardware security modules (HSM) to a cloud-based infrastructure that is not generally under their direct control. Often it means a subscription service rather than perpetual ownership of physical equipment and software. Corporate initiatives for efficiency and a scaled-down physical presence are the drivers for this. Conversely, with cloud-native organizations, the adoption of cloud-first without any on-premises presence is their fundamental business model. End-users of a cloud-based payment infrastructure expect reduced IT complexity, streamlined security compliance, and flexibility to scale their solution seamlessly as their business grows.

Potential challenges

Cloud offers significant benefits. Yet, there are challenges when migrating a legacy on-premises payment application (involving payment HSM) to the cloud that must be addressed. Some of these are:

◉ Shared responsibility and trust—what potential loss of control in some areas is acceptable?

◉ Latency—how can an efficient, high-performance link between the application and HSM be achieved?

◉ Performing everything remotely—what existing processes and procedures may need to be adapted?

◉ Security certifications and audit compliance—how will current stringent requirements be fulfilled?

The Azure Payment HSM service addresses these challenges and delivers a compelling value proposition to the users of the service.

Introducing the Microsoft Azure Payment HSM

Today, we are excited to announce that Azure Payment HSM is in preview in East US and North Europe.

The Azure Payment HSM is a “BareMetal” service delivered using Thales payShield 10K payment HSMs to provide cryptographic key operations for real-time, critical payment transactions in the Azure cloud. Azure Payment HSM is designed specifically to help a service provider and an individual financial institution accelerate their payment system’s digital transformation strategy and adopt the public cloud. It meets stringent security, audit compliance, low latency, and high-performance requirements by the Payment Card Industry (PCI).

HSMs are provisioned and connected directly to users’ virtual network, and HSMs are under users’ sole administration control. HSMs can be easily provisioned as a pair of devices and configured for high availability. Users of the service utilize Thales payShield Manager for secure remote access to the HSMs as part of their Azure subscription. Multiple subscription options are available to satisfy a broad range of performance and multiple application requirements that can be upgraded quickly in line with end-user business growth. Azure Payment HSM offers the highest performance level 2,500 CPS.

Enhanced security and compliance

End-users of the service can leverage Microsoft security and compliance investments to increase their security posture. Microsoft maintains PCI DSS and PCI 3DS compliant Azure data centers, including those which house Azure Payment HSM solutions. The Azure Payment HSM can be deployed as part of a validated PCI P2PE and PCI PIN component or solution, helping to simplify ongoing security audit compliance. Thales payShield 10K HSMs deployed in the security infrastructure are certified to FIPS 140-2 Level 3 and PCI HSM v3.

*The Azure Payment HSM service is currently undergoing PCI DSS and PCI 3DS audit assessment.

Manage your Payment HSM in Azure

The Azure Payment HSM service offers complete administrative control of the HSMs to the customer. This includes exclusive access to the HSMs. The customer could be a payment service provider acting on behalf of multiple financial institutions or a financial institution that wishes to directly access the Azure Payment HSM. Once the HSM is allocated to a customer, Microsoft has no access to customer data. Likewise, when the HSM is no longer required, customer data is zeroized and erased as soon as the HSM is released to Microsoft to maintain complete privacy and security. The customer is responsible for deploying and configuring HSMs for high availability, backup and disaster recovery requirements, and to achieve the same performance available on their on-premises HSMs.

Accelerate digital transformation and innovation in cloud

The Azure Payment HSM solution offers native access to a payment HSM in Azure for ‘lift and shift’ with low latency. The solution offers high-performance transactions for mission-critical payment applications. Thales payShield customers can utilize their existing remote management solutions (payShield Manager and payShield TMD together) to work with the Azure Payment HSM service. Customers new to payShield can source the hardware accessories from Thales or one of its partners before deploying their Payment HSM.

Typical use cases

With benefits including low latency and the ability to quickly add more HSM capacity as required, the cloud service is a perfect fit for a broad range of use cases which include:

Payment processing:

◉ Card and mobile payment authorization

◉ PIN and EMV cryptogram validation

◉ 3D-Secure authentication

Payment credential issuing:

◉ Cards

◉ Mobile secure elements

◉ Wearables

◉ Connected devices

◉ Host card emulation (HCE) applications

Securing keys and authentication data:

◉ POS, mPOS, and SPOC key management

◉ Remote key loading (for ATM, POS, and mPOS devices)

◉ PIN generation and printing

◉ PIN routing

Sensitive data protection:

◉ Point to point encryption (P2PE)

◉ Security tokenization (for PCI DSS compliance)

◉ EMV payment tokenisation

Suitable for both existing and new payment HSM users

The solution provides clear benefits for both payment HSM users with a legacy on-premises  HSM footprint, and those new payment ecosystem entrants with no legacy infrastructure to support and who may choose a cloud-native approach from the outset.

Benefits for existing on-premises HSM users:

◉ Requires no modifications to payment applications or HSM software to migrate existing applications to the Azure solution.

◉ Enables more flexibility and efficiency in HSM utilization.

◉ Simplifies HSM sharing between multiple teams geographically dispersed.

◉ Reduces physical HSM footprint in their legacy data centers.

◉ Improves cash flow for new projects.

Benefits for new payment participants:

◉ Avoids introduction of on-premises HSM infrastructure.

◉ Lowers upfront investment via the Azure subscription model.

◉ Offers access to the latest certified hardware and software on-demand.

Source: microsoft.com

Continue reading