Cloud security

Windows Azure Platform

AJ Kumar
December 5, 2014 by
AJ Kumar

In Depth

The software industry is relentlessly moving toward centralized computing. Due to this trend, software and data are being taken away from conventional computers and positioned in public or private clouds instead. However, Microsoft has been entering into virtual cloud ambience since 2008, by introducing its consumer cloud services like Hotmail and Live gaming services. Further, Microsoft has also announced a suite of cloud-based business productivity and collaboration applications called Microsoft Online services, including SharePoint Online, Exchange Hosted Services, and CRM. Hence, this piece of editorial unleashes the conception of cloud computing in the context of Windows Azure platform in particular and clarifies the dissimilar services and types of solutions that this platform makes possible.

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

Introduction

Windows Azure is an operating system in the cloud and forms the core platform for all the other Azure Services. In simple terms, it is a compendium of building blocks for cloud services, and consists of several geographically detached data centers for delivering geo-located services and recommending platform enterprise services, middleware, and consumer services groups to create an end-to-end cloud service. This article provides an organized walkthrough of the Windows Azure platform and its related essential technologies which together as a whole comprise a cloud infrastructure. Hence, the following figure is therefore depicting a comprehensive view of collective Windows Azure platform technologies, each of which will be elaborated further in details, especially in the context of their importance, operating, usage, configuration, and much more in forthcoming sections.

1. Windows Azure Platform

Windows Azure offers a distributed operating system where we can build, test, and deploy applications without caring about the classic front-end interface. For instance, we don't have to rely on the typical IIS console to configure sites, virtual directories, or application pools. Microsoft designed Azure to enable .NET professionals to empower their capability to create in ASP.NET websites and XML and WCF web services. Windows Azure is a cloud platform or operating system which enables to run your business applications, services, and workloads in the cloud. It has the same function as a traditional operating system on any hardware platform and allows applications to run in a virtual environment by providing them indispensable physical hardware components. Windows Azure affords a wide range of capabilities in the form of computing services to run applications, storage services, and creating a framework that supports several applications, as well as host services and manage them centrally. The Azure platform is a group of four cloud technologies:

1.1 Windows Azure

The Windows Azure operating system offers an identical involvement as it enables developers and users to use prevailing Microsoft technologies such as .NET, SQL Server, WCF, and many more to develop applications in the cloud ambiance. Windows Azure provides a kind of virtual Windows Runtime for executing applications and storing data on computers in Microsoft data centers that includes a computational services, basic storage, queues, web server, management services, and load-balancers. In fact, manufacturing applications using the Windows Azure platform is not very complex, as developers can write familiar .NET code using Visual Studio to build applications which have the capability to run in the cloud. Moreover, it also offers a local development fabric for building and testing services before they are deployed to Windows Azure in the cloud. The following diagram depicts the diverse components of Windows Azure:

1.1.1 Compute

The Azure Compute services are the core services of Windows Azure operating system, also referred to as Hosted Service in Windows Azure portal terminology, offering us an ability to develop and deploy Windows Azure cloud services in the environment which consists of an underlying .NET 4.5 Framework and IIS 7 running on Windows server OS. Moreover, we can enable Full Trust in Windows Azure services for developing native applications. The Windows Azure Compute service is based on a role-based design, and the current version of Windows Azure endorsed two kinds of roles: Web and Worker Role. Most commonly, the Web role is a typical ASP.NET website with HTTP or HTTPS endpoints or WCF, XML web service that can execute via Internet Information Server in the cloud environment. The Worker role runs as a continuous background process in the cloud, and it exposes internal and external endpoints and also calls external interfaces. The Windows Azure typically endorses three kinds of virtual machine roles:

  • Web Role: It enables the functionality of constructing ASP.NET web applications, including MVC with Internet Information Server (IIS).
  • Worker Role: It performs the background process for the web role.
  • VM Role: It runs an image of a Windows Server OS in the virtual machine. Users can therefore setup, configure and maintain the OS and use corresponding Windows Services, scheduled tasks in the VM role.

There are four different models as Web Sites, Virtual Machines, Cloud Services, and Mobile Services comprise the compute services portion of the Windows Azure platform, which are used either separately or together to build more complex solutions to meet specific business requirements.

1.1.2 Management

The management fabric automates the deployment of virtualized operating systems images on server hardware and regulates the life cycle of the deployment by allocating and withdrawing hardware and operating system image resources as necessary. Besides, the management fabric provisions the hardware servers, deploys operating system image on those servers, and deploys your service to those servers while service deployment to the cloud is consumed later once deployed on the servers.

1.1.3 Storage

Windows Azure data storage enable users to store, access, analyze, and protect their data while making it available from anywhere and at any time. Windows Azure provides different services from storing data in SQL databases in the cloud to analysis and reporting to meet the needs of your business. Windows Azure ensures data security with high throughput of application data in the cloud. Windows Azure typically offers three types of storage in the cloud atmosphere.

  • Blob: BLOBs offers a mechanism for storing large amounts of text or binary data such as images, audio, or visual files. It can scale up to 200 terabytes and can be accessed using REST APIs. We can move BLOB data as a single volume between private and public clouds using Windows Azure Drive.
  • Table: Tables represents storage location across machines for data which reside in the form of entities and properties on cloud. Tables store large amounts of unstructured data which can be accessed either using REST APIs from within a service running in Windows Azure or directly over the Internet using HTTP/HTTPS.
  • Queue: Queue's sole objective is to enable communication between Web and Worker Role instances, and aids in storing messages that may be accessed by a client. Web Role instances can initiate user requests which need to be processed in the background. On the other side, Worker Role observes the queue to process the request and respond back via queue to the Web Role instance.

1.1.4 CDN

CDN or Content Delivery Network avoids the user latency problem by reducing the number of hops the request has to make. This service provides a convenient way to minimize latency, because it caches data in various geographic locations across the globe. At a Site, the content delivery network (CDN) stores replicas of a blob which is closer to the clients that use it. Blobs typically store information such as video, which will access from many different locations. Hence, this mechanism speeds up delivery of reputedly accessed content and improves performance.

1.2 AppFabric

Azure AppFabric provides a wide-ranging cloud middleware platform for developing, deploying and managing applications on the Windows Azure Platform. It allows the creation of combined access control and distributed messaging across clouds and enterprises, and also enables linking our existing applications to the cloud through secure connectivity across network and geographic boundaries. Developers practice Windows Azure AppFabric to connect application pieces together, manage identity and access control, cache remote resources, and create composite applications. Developers can build WCF-like services in Visual Studio .NET and publish endpoints to the cloud from within the Visual Studio .NET design environment. The following diagram depicts the diverse components of AppFabric:

1.2.1 Access Control

The Access Control mechanism in the cloud is employed to identity and access control to web applications and services resources through REST and the Web Resources Access Protocol (WRAP), while integrating with standards-based identity providers, including enterprise directories such as (AD) Active Directory and other web identities, including Windows Live ID and Google. The client sends the request or claims to the public Access Control URL to access a particular remote application resource. Further, the Access Control service checks the input claims against the defined rules, produces the output claims, and sends these claims in a secure token that the client application then sends to the remote application.

1.2.2 Caching

Caching is the most effective way to improve performance to frequently accessed data in ASP.NET websites. Some applications repeatedly access the same information; caching therefore makes this information more readily accessible and can make the application faster. In final words, caching provides in-memory, distributed, and highly available application cache service for Windows Azure applications.

1.2.3 Service Bus

Via HTTP and REST protocol, the Service Bus service allows secure connectivity and messaging experiences through which distributed applications can talk together. The Service Bus is of course, hosted in the cloud atmosphere, so any application can access it with an Internet connection. You create a new service namespace using the portal itself to start exchanging messages via the Service Bus from any application and platform. The messages that are transmitted by the Service Bus contain XML, graphics, binary data, text, and streaming data contents. Moreover, it exposes classes to various programming environments using REST and HTTP to interact with the Service Bus nodes.

1.3 SQL Azure

The SQL Azure technology is employed in a cloud atmosphere to address the growing size and scale of the data which can address the primary data challenges associated to scalability, availability, security, and manageability. Developers can access SQL Azure using a tabular data stream which is the typical way of accessing on-premise SQL Server instances through SQL clients like ADO.NET, ADO.NET Entity Framework, LINQ, and ODBC. Developers can create tables, indexes, and views, use stored procedures, and define triggers alike with an SQL Server. Moreover, the significant benefits for SQL Azure is that the management requirements are significantly reduced because they need not worry about other operations, such as monitoring disk usage and servicing log files. The following figure depicts the various components of SQL Azure:

SQL Azure is the cloud-based technology solution to deal with relational and other types of data as part of the Windows Azure platform. Broadly, SQL Azure provides the following activities and key benefits:

  • SQL Azure offers "Server Management studio" which is an integrated environment to configure and access the databases on cloud.
  • SQL Azure provides a similar authentication and authorization framework as that of SQL Server databases in on-premise systems and uses firewall security, which can be configured through the Azure Management Portal.
  • SQL Azure supports overall development, deployment and provisioning of databases on the cloud
  • SQL Azure performs basic operations, including create, tables, indexes, views, roles, stored procedures, triggers and functions, constraints, and temp tables.
  • SQL Azure executes complex queries and joins across multiple tables, as well as performs transactions with basic aggregation functions.
  • SQL Azure Performs Logging and Monitoring: administration capabilities monitor and track potential issues associated with the data.

1.3.1 Database

SQL Azure Database provides the core database functions of the SQL Server as a cloud service. An application using SQL Azure Database typically accesses data via a protocol called Tabular Data Stream (TDS) that is also used to access a local SQL Server database. So, a SQL Azure Database application can use any existing SQL Server client including ADO.NET, ODBC, Entity Framework, PHP and others.

1.3.2 Reporting

The SQL Azure Reporting is based on SQL Server Reporting Services used to meet the demand for reporting of stored data in SQL Azure Database. Such created reports can be published to SQL Azure Reporting portal and accessible to a user via a URL. Reports used with SQL Azure Reporting are created on-premises and designed to correlate with data stored in SQL Azure Database.

1.3.3 Synchronization

The key feature SQL Azure is to offer anytime and anywhere is access of data by means of SOAP and REST interfaces. Further, you can use SQL Azure by creating a storage account in the Windows Azure platform account. Hence, Azure Data Sync enables equilibrium between SQL Azure, and on-premise SQL Server aims to provide bidirectional data synchronization functionality based on the Microsoft Sync Framework and allows linking on-premise database to SQL Azure Database. Each Windows Azure platform account can host several SQL Azure storage servers which can include multiple databases that use the Master database by default.

1.4 Marketplace

The Windows Azure marketplace contains data and various other application market segments including data and web services from leading commercial data providers and authoritative public data sources. Customers will have access to datasets such as demographic, environmental, financial, retail, weather and sports. The following figure depicts the various components of the Azure marketplace:

1.4.1 App Market

It exposes the created applications or service by developers to potential customers so that they can easily choose them to suit their needs.

1.4.2 Data Market

TheData Market offers a chance to expose their offerings to more customers through Microsoft's cloud platform. In simple words, the Data Market provides a single place to find, buy, and access a variety of commercial datasets.

2. Operating in Azure

The initial movement for Azure application development to the cloud is the Windows Azure Development portal (https://manage.windowsazure.com) which requires a Windows Live ID to be accessed through remote login utility such as Putty or RDP (mstsc.exe). The typical developer workflow involves the following steps for creating or deploying an application in Windows Azure Platform.

Step 1: Create a Windows Azure account and Login using a Microsoft Live ID.

Step 2: Prepare the development fabric to create an application in the local cloud platform.

Step 3: Test the application in the development fabric

Step 4: Package the application for cloud deployment.

Step 5: Test the application on Windows Azure in the cloud.

Step 6: Deploy the application in the production farm.

Currently, Microsoft is offering a free one month trial experience of Azure services. However, Microsoft doesn't offer free long-term usage of Azure services so far. After you create an account after buying the necessary Azure cloud services subscription, and login to the Azure portal (manage.microsoftazure.com), you will be able to utilize the entire services, including Compute, Websites, Mobile, and Data services offered by the Azure virtual operating system.

3. Security Concerns

Windows Azure platform offers developers with on-demand compute and storage to host, scale, and manage web applications on the cloud through Microsoft datacenters. Everything is managed so easily in the cloud; we don't need any hardware, software, and configuration at all. But, the sole concern is data or resource security, which is a nonnegotiable obligation for a cloud service. Business or sensitive data stored in the cloud needs to be encrypted not only during storage but also transport. Hence, it is mandatory to implement proper access control mechanisms to prohibit unauthorized access to the data and applications, because critical data is one step away from falling into malicious hands. Secure channels across application domains in the cloud should be constructed into the cloud service infrastructure. If the environment and applications are not properly secured, any cloud platform could be compromised. However, IT architects are repeatedly concerned about the risks of cloud computing.

Conclusion

Cloud computing is the next generation emerging technology where everything will be located on the cloud. Just a native device like a tablet PC, mobile phone equipped with an Internet connection, and a simple browser would be sufficient to get a taste cloud computing. Executing applications in Azure clouds offers many advantages over the traditional way of running programs, like faster service deployment, massive savings upfront, and easy management of business growth by scaling up or down the computing power and storage. Hence, this article provided a comprehensive tour of Windows Azure cloud computing. Moreover, it explains the various layers of the Windows Azure platform including data service, AppFabric, and marketplace. Finally, it discusses the life cycle of application development with real experience of the Azure portal and examines various potential threats while operating in the Azure cloud environment, in terms of sensitive data protection and authentication.

References

[1] Windows Azure Platform: http://www.microsoft.com/windowsazure/

[2] http://www.microsoft.com/windowsazure/whitepapers/

[3] http://msdn.microsoft.com/en-us/library/ee460770.aspx

[4] B. Hayes. Cloud computing. Commun. ACM, 51(7):9– 11, 2008.

[5] J. N. Hoover. A stake in the cloud. InformationWeek, 26(1209):22–24, 2008.

[6] http://www.microsoft.com/ azure/default.mspx.

[7] A. Weiss. Computing in the clouds. netWorker, 11(4):16–25, 2007.

[8] http://www.microsoft.com/en-us/sqlazure/default.aspx

[9] http://msdn.microsoft.com/en-us/data/aa937697.aspx

[10] http://www.microsoft.com/windowsazure/appfabric/overview/

Learn Cloud Security

Learn Cloud Security

Get hands-on experience with cloud service provider security, cloud penetration testing, cloud security architecture and management, and more.

[11] http://www.microsoft.com/windowsazure/marketplace/default.aspx

AJ Kumar
AJ Kumar

AJ Kumar is a Cyber security evangelist, has a great passion for open source programming, IT security, bug detection, penetration testing, and assembly language on diverse platforms including Windows and Linux. He can be reached via ajkumarhv[at]gmail[dot]com;