Azure Security Announcements - August 5th 2022

August 10, 2022

This week, there are 10 announcements related to Azure Security.

Azure Active Directory

General Availability

Temporary access pass (TAP) is now generally available. Temporary access pass can be used to securely register passwordless methods such as phone sign-in, phishing resistant methods like FIDO2, and can even assist in Windows onboarding (Azure AD Join and Windows Hello for Business). Temporary access pass makes recovery easier when you have lost or forgotten your strong authentication methods and need to sign in to register new authentication methods.

Announcement: https://azure.microsoft.com/updates/general-availability-temporary-access-pass-for-azure-active-directory/
Documentation: https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-temporary-access-pass?WT.mc_id=wwc-aces

Azure Firewall

Security Updates

The new Intrusion Prevention System (IPS) certification from ICSA Labs is an important IPS certification, is an addition to our existing Firewall certification, from ICSA Labs.

Azure Firewall Premium SKU is a managed, cloud-based network security service that protects your Azure Virtual Network resources. It provides advanced threat protection that meets the needs of highly sensitive and regulated environments and includes Intrusion Prevention System (IPS) and TLS inspection capabilities.

ICSA Labs provides credible third-party testing and certification of security and health IT products, as well as network-connected devices. This includes certification of network intrusion prevention systems.

ICSA Labs Network Intrusion Prevention System (IPS) security certification test cycle includes Azure Firewall protection against exploits aimed at approximately 100 high severity vulnerabilities in enterprise software. Because real world attacks do not happen on a quiescent network, ICSA Labs tests with an appropriate level of background traffic using various mixes of enterprise network traffic. The test included evasion techniques, platform security of the product itself, logging, secure administration, and administrative functions.

Announcement: https://azure.microsoft.com/updates/azure-firewall-premium-is-now-icsa-labs-certified/
Documentation: https://www.icsalabs.com/sites/default/files/FINAL_Microsoft_NIPS_Cert_Testing_Report_20220715.pdf

Azure Kubernetes Service

Preview Features

You can now protect your Kubernetes clusters and container workloads from potential threats by restricting deployment of container images with vulnerabilities in their software components. This feature allows you to use Azure Policy and Azure Defender for Containers to identify and patch vulnerabilities prior to deployment.

Announcement: https://azure.microsoft.com/updates/public-preview-policy-blocking-the-deployment-of-vulnerable-images/
Documentation: https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockVulnerableImages.json

Preview Features

Azure Kubernetes Service (AKS) provides the capability for organizations to deploy containers at scale. We are expanding the Azure confidential computing portfolio to enable AMD-based confidential VM node pools in AKS, adding defense-in-depth to Azure's already hardened security profile.
With the general availability of confidential virtual machines featuring AMD 3rd Gen EPYC™ processors, with Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP) security features, organizations get VMs with isolated, encrypted memory and genuine confidentiality attestation rooted to the hardware.

AKS is now equipped to have confidential and non-confidential node pools on a single cluster. This means that applications processing sensitive data can reside in a VM-level Trusted Execution Environment (TEE) node pool with memory encryption keys generated from the chipset itself. Confidential node pools on AKS enable a seamless transition of Linux container workloads to Azure without the overhead of changing code.

Announcement: https://azure.microsoft.com/updates/public-preview-amdbased-confidential-vms-for-azure-kubernetes-service-aks/
Documentation: https://techcommunity.microsoft.com/t5/azure-confidential-computing/confidential-vm-node-pool-with-amd-sev-snp-protection-available/ba-p/3586136

General Availability

The Federal Information Processing Standard (FIPS) 140-2 is a US government standard that defines minimum security requirements for cryptographic modules in information technology products and systems.

AKS allows you to create Linux and Windows-based node pools with FIPS 140-2 enabled. Deployments running on FIPS-enabled node pools can use those cryptographic modules to provide increased security and help meet security controls as part of FedRAMP compliance.

Announcement: https://azure.microsoft.com/updates/generally-available-fips-compliant-nodes-for-windows-in-aks/
Documentation: https://docs.microsoft.com/azure/aks/use-multiple-node-pools?WT.mc_id=wwc-aces#add-a-fips-enabled-node-pool-preview

Azure Monitor

Preview Features

Currently, Azure Monitor VM insights requires a Log Analytics agent and a dependency agent installed on each virtual machine or virtual machine scale set to be monitored. This public preview will introduce a version of VM insights that makes use of the new Azure Monitor agent and would replace the existing Log Analytics agent.

Several key capabilities have been released in preview:

  • Easy configuration using data collection rules to collect VM performance counters and specific data types.
  • Option to enable/disable processes and dependencies data that provides Map view, thus, optimizing costs.
  • Enhanced security and performance that comes with using Azure Monitor agent and managed identity.

Announcement: https://azure.microsoft.com/updates/public-preview-enable-vm-insights-using-azure-monitor-agent/
Documentation: https://docs.microsoft.com/azure/azure-monitor/vm/vminsights-overview?WT.mc_id=wwc-aces

Azure App Services

General Availability

Custom domain suffix capability is now available in App Service Environment (ASE), an Azure App Service feature that provides a fully isolated and dedicated environment for running App Service apps securely at high scale. Your apps are not restricted by the DNS settings for your App Service Environment’s default domain suffix to only be accessible by those domain names. Custom domain suffix is an internal load balancer (ILB) App Service Environment feature that allows you to use your own domain suffix to access the apps in your App Service Environment.

Announcement: https://azure.microsoft.com/updates/general-availability-azure-app-service-environment-v3-support-for-custom-domain-suffix/
Documentation: https://docs.microsoft.com/azure/app-service/environment/how-to-custom-domain-suffix?pivots=experience-azp?WT.mc_id=wwc-aces

Azure CosmosDB

New Features

Audit log for continuous mode with Azure Cosmos DB allows you to view your details of restore action on source account and destination account. It allows you to see the restore progress in activity log in terms of which database and containers were restored for the given account. It also helps to validate who performed this activity and the time of this action. This audit information is available within the activity log so there is no need to switch on a special diagnostic log.

Announcement: https://azure.microsoft.com/updates/generally-available-audit-log-for-continuous-mode-with-azure-cosmos-db/
Documentation: https://docs.microsoft.com/azure/cosmos-db/audit-restore-continuous?WT.mc_id=wwc-aces

Azure Sphere

General Availability

The Azure Sphere 22.07 feature release is now available and includes the following components:

  • Updated Azure Sphere OS
  • Updated Azure Sphere SDK for Windows and for Linux
  • Updated Azure Sphere extensions for Visual Studio and for Visual Studio Code
  • Updated samples and documentation If your devices are connected to the internet, they will receive the updated OS from the cloud. You'll be prompted to install the updated SDK on next use.

Announcement: https://azure.microsoft.com/updates/general-availability-azure-sphere-version-2207/
Documentation: https://docs.microsoft.com/azure-sphere/product-overview/whats-new?WT.mc_id=wwc-aces

Azure Virtual Machines

New Features

Today, we are announcing the availability of Trusted Launch support for DCsv3 and DCdsv3 virtual machines.

DCsv3 and DCdsv3 series virtual machines which are now generally available provides support for Intel® SGX. These 3rd Generation Intel® Xeon Scalable processor-based machines with Intel® Turbo Boost Max Technology 3.0 have six times the CPU cores of the previous generation and 12 times the memory. They also feature an incredible 1500 times the Enclave Page Cache (EPC) memory as compared to the previous generation which, together allows you to fully leverage the true power of Intel® SGX technology.

With all new hardware-based security paradigm is now just a few clicks away in Azure to deploy DCsv3 virtual machines with trusted launch feature.

Announcement: https://azure.microsoft.com/updates/generally-available-trusted-launch-support-for-dcsv3-and-dcdsv3-series-virtual-machines/
Documentation: https://techcommunity.microsoft.com/t5/azure-confidential-computing/bg-p/AzureConfidentialComputingBlog

Recommended content

Comments

Leave your comment