Microsoft Azure, one of the leading cloud platforms, offers individual customers, startups and large enterprises an easy way to manage and deploy applications and services. It also enables enterprises to scale out, scale up and scale down as per their business requirements. Microsoft Azure helps enterprises to control their CAPEX and OPEX and allows building and deploying long-term and sustainable workloads.
Many customers raise a concern over ‘security’ of the cloud platform before they decide to migrate to the cloud. Microsoft Azure is one of the most secure clouds to host your workload irrespective whether it is a small web application or large-scale enterprise-grade product or service. There are the plethora of services in Azure which allow you to secure your application and infrastructure both. Most of the customers take all measures to ensure their application is secure while building/developing it. They also do OWASP Top 10 kind of tests along with load test to ensure there are no loopholes or leaks. Security of application, data associated with it and infrastructure is critical for any organization.
In Microsoft Azure, data in transit is highly secure as it is encrypted. There are also mechanism and tooling available to secure and encrypt your data at rest. Security majors like WAF (Web Application Firewall), NSG (Network Security Groups), Azure Security Center, Log Analytics with Threat detection etc. are commonly used. Although these features are available to secure your application and data, few customers still wish to perform another critical test that is ‘penetration testing’ or commonly known as ‘Pen Test’. Before 15 June 2017, Microsoft use to require pre-approval to conduct a penetration test against Microsoft Azure resources. However, after June 15, 2017 Microsoft no longer require any pre-approval to conduct Pen Test against Azure resources.
Customers who wish to perform Pen Test against Azure resource now simply can fill up a request and submit to Microsoft for further process. This is only for the customers who wish to formally document the upcoming penetration testing engagements against Microsoft Azure. Microsoft will analyze the request and accordingly they will send a notification to customers. Customers fill and submit Pen Test request from this URL https://bit.ly/2OvRQxr.
There is a 3-step process as shown below.
Following are the standard 3 tests which you can perform as a part of Pen Testing –
- OWASP Top 10
- Port Scanning
- Fuzz Testing
However, you cannot perform DDoS Test as a part of Pen Test, for the DDoS test you can read more on Azure DDoS protection offering here https://bit.ly/2EAsTLv. To get more insights on the Pen Test Engagements with Microsoft you can visit https://bit.ly/2NlPHb9.