When you have a focused on cloud security, it’s good to pay attention to the latest innovations that Microsoft brings every year at Build in the cloud front and zoom into some of the security nuggets that may make your life easier when it comes to using cloud native security controls and help defenders protect their environment
I am just extracting the security elements from the MSBuild book of news in case you find it interesting. Just by surfing the book there is one that I personally believe stands out from the other (not under estimating other features!) which is the integration between Azure Security Center and Github, so customers can integrate container vulnerability scan results to Github Action. What’s the take? As cyber security is taking steps to shift more control and compliance to the build process of a developer life cycle, this is a great milestone to reduce the impact of open vulnerabilities so they can be mitigated before the code goes to production
The complete MSBuild Book of News is here: https://news.microsoft.com/build-2021-book-of-news/
So here it goes…
Always Encrypted for Azure Cosmos DB is now in preview. Customers can encrypt sensitive data inside their client app before it gets stored in their database with Always Encrypted for Azure Cosmos DB. This ensures that confidential parts of datasets are only available to appropriate audiences. It also enables customers who must comply with regulatory requirements to use Azure Cosmos DB to securely store their data in the cloud
Azure Cosmos DB role-based access control (RBAC) is now generally available. Customers have enhanced control over data security in Azure Cosmos DB RBAC with Azure Active Directory (Azure AD) integration now available for the Core (SQL) API. Account administrators can set up clearly defined rules about what each identity is able to do within the database, and then apply the roles to Azure AD profiles to determine access level. For example, an IoT device could enter data, but it would not have the ability to read, change or update data
Azure Security Center now includes container scanning results, powered by GitHub Actions, to help customers scale DevSecOps
Azure Security Center (ASC) can now show container scan results found by a GitHub Action so ASC customers can easily incorporate security and compliance into early stages of the software development lifecycle. This feature offers end-to-end traceability, improving remediation time and strengthening an organization’s cloud security
Azure Defender for MySQL, PostgreSQL, and MariaDB is now Generally Available
oday we are happy to announce we are expanding Azure Defender’s SQL protection to open-source relational databases. Azure Defender for open-source relational databases is now generally available for use with Azure Databases for MySQL, PostgreSQL, and MariaDB single servers
Azure Bicep v0.4 is now available, with new features to improve workflow and validate code
Azure Bicep, now available, is an open-source language for declaratively deploying Azure resources as code that simplifies the authoring experience. It provides concise syntax, better support for code reuse and improved type safety. Azure Bicep v0.4 features make it possible to easily maintain code bases with the new bicep linter, simplify code structures and validate code to reduce errors
I think of Bicep as a nice and easy declarative language to deploy Azure infrastructure services like Azure Firewall, WAF, etc.
Continuous Access Evaluation in Microsoft Graph now in preview
Continuous Access Evaluation (CAE), an authentication feature in Azure Active Directory (Azure AD), is now in Microsoft Graph in preview. Developers can update and test apps that use Microsoft Graph APIs to make their apps more secure. Using Microsoft Graph APIs with CAE support, apps are more resilient due to the optimizations for token lifetime and token refresh.
Instead of waiting for the access token expiration, commonly set at 60 minutes, CAE in Azure AD reevaluates active user sessions in real time and can revoke access to protected resources in response to events such as device loss, user password changes or disabling of the user’s account. CAE can also be used to stop a user from accessing secured resources when they change location
Azure Active Directory access reviews provide more control over access to privileged information
Azure Active Directory (Azure AD) access reviews enable periodic reviews of service principals and apps assigned to directory roles, as well as roles in Azure subscriptions. This capability helps customers ensure that their services and apps, just like their employees, are abiding by established least-privilege policies, helping reduce the damage caused by an attack. In Azure AD, a service principal is typically created for an app or code that needs to access or modify resources that can only be facilitated through an identity with the necessary permissions. As customers move more apps to the cloud and procure third-party software as a service (SaaS) apps, these service principals are assigned privileged roles, which often go ungoverned. Now, with Azure AD access reviews and Privileged Identity Management (PIM), you can periodically review the assignments of privileged roles to service principals in your tenant
Azure Confidential Ledger provides a tamper-proof register for storing sensitive data
Azure Confidential Ledger (ACL), a new managed Azure service, is a tamper-proof register for storing sensitive data for recordkeeping and auditing. Now in preview, ACL may be the first ledger to market that not only is tamper-proof and tamper-evident, but offers confidentiality through a Trusted Execution Environment (TEE), the secure area of a main processor. It is the only ledger technology that uses confidential computing to protect data in use. Data in use or memory can contain sensitive data including digital certificates, encryption keys, intellectual property and personally identifiable information.
Lastly, have a look at this interesting new open-source called Confidential Consortium Framework to build security and high available applications that focus on multi-party compute and data