Security Mental Model for Azure

JD Meier

16 Sep 2009 7:04 PM

Comments 3

We’ve been exploring Azure on the patterns & practices team for potential security guidance. To get our heads around it, we’ve had to create a simple view for our team that we could quickly whiteboard or drill into. We wanted a way to easily compare with our previous security guidance. Here’s what we ended up with …

Today’s application security mental model …

Compare that to our evolving security mental model for Azure …

The key thing to note is that on Azure you have a managed infrastructure, but you still have to address application security issues, as you would in today’s on-premise scenario. There are obviously more details to the story, but I’ll elaborate on those another day. For now, the key is to simply notice how you can carry forward your application security skills to the cloud as a new deployment channel.

Security

Comments

alikl

19 Sep 2009 2:03 PM

Good one!

Now I can clearly see how i can re-use my curent security investment applying it in emerging tech

Good perspective!
JenisysJohn

22 Sep 2009 9:42 AM

Thanks, JD, especially for the "mental map" concept and diagram.

What happened to "Parameter Manipulation" (from the "Securing the Application" block)? Is there some reason using the Cloud removes this concern?

Thanks again,

John
JD Meier

22 Sep 2009 12:19 PM

@ Alik

Thank you.

@ John

We folded parameter manipulation into our validation bucket. We've basically combined parameter manipulation, input and data validation into a simpler bucke - "validation" as our catch all.