Microsoft today is launching Azure Front Door Standard and Premium in preview with two new SKUs that add threat detection, application security, and additional security protections to the content delivery network (CDN).
Azure already offers two edge networking tools: Azure Front Door, which focuses on global load-balancing and site acceleration, and Azure CDN Standard, which offers static content caching and acceleration. The new Azure Front Door brings together security with CDN technology for a cloud-based CDN with threat protection and additional capabilities.
These updates stem from Microsoft's efforts to bring zero-trust principles to businesses using Azure network security tools, says Ann Johnson, Microsoft's corporate vice president of Security, Compliance, and Identity (SCI) Business Development. Its zero-trust strategy has underpinned several initiatives as it believes this is how companies will become more secure.
Johnson uses three principles to describe zero trust, the first of which involves adopting explicit verification for every transaction during a session: "So not just verifying the human, but the device, the data, the location, if it's an IoT device, the application – everything that happens in the session should be verified and anomalous behavior should be flagged," she explains.
The second principle is ensuring least privilege access. Many organizations still provide too much privileged access to employees, Johnson says. One of the steps Microsoft is taking with its content and application delivery is implementing more controls around access.
The third principle: "Then, finally, assume you've been breached," she says. Assumed breach is a topic the security industry has discussed for years, but with zero trust, they have to assume they have been breached, and that anything within the organization could potentially be breached.
These principles have grown essential as application-delivery networks undergo a massive transformation to the cloud, Johnson explains. The new capabilities in Azure Front Door aim to provide organizations with one platform that meets availability, scalability, and security needs.
The new Azure Front Door SKU offers both static and dynamic content acceleration, global load-balancing, SSL offload, domain and certificate management, improved traffic analytics, and basic security capabilities, Microsoft writes in a blog post. The Azure Front Door Premium SKU builds on these with more security capabilities: Web application firewall (WAF), bot protection, private link support, and integration with Microsoft threat intelligence and security analytics.
In addition to supporting all the features available via Azure CDN Standard, Azure Front Door, and Azure Web Application Firewall, the new standard and premium SKUs bring a few new capabilities, Microsoft officials write in a blog post. These include a simplified user experience, simplified management experience, and TLS certificate management: both standard and premium SKUs offer Azure managed TLS certificates by default for all custom domains at no additional cost. More details on the capabilities of standard and premium can be found here.
"I'm encouraging our customers to encrypt all their communication channels across the cloud and hybrid networks," says Johnson. "This means they would need to secure user to app, and site to site, and we have leading encryption capabilities such as TLS within our VPN."
A Proactive Approach
She notes today's updates are not a reaction to attacker activity, but a proactive step given how businesses have transitioned to the cloud in recent years; especially in 2020. As Microsoft CEO Satya Nadella said last April, "We've seen two years' worth of digital transformation in two months."
"They're moving a ton of apps … and they need to deliver them globally, at scale, and we want to make sure we can do that from an app delivery standpoint, and an API standpoint, or even a website standpoint in a secure manner." The ability of Azure Front Door to combine security and CDN creates an opportunity to improve the way businesses deploy and secure content.
While there are cloud network security vendors with "a range of maturity in their solutions," Johnson notes that everyone is playing "just a little bit of catchup" because businesses are moving to the cloud faster than many network security capabilities can be built. Some Microsoft customers say that even after the pandemic slows, they will keep roughly half of their employees at home, Johnson says.
"That just means they're going to continue to operate in the way that they do," she continues. "And that need to move so many applications so quickly to the cloud … really drove the need to improve solutioning in this space."
Businesses that already subscribe to Microsoft's network security capabilities, depending on which they have, will automatically be able to try the SKUs in preview. Those who don't use Microsoft for CDN and some of these capabilities will need to subscribe, Johnson says.
This week Microsoft also announced Azure Firewall Premium is now available in preview, which is designed to provide next-gen firewall capabilities required for sensitive and regulated environments. This release brings capabilities including TLS inspection, a signature-based intrusion detection and prevention system (IDPS), URL filtering, and the ability for admins to filter outbound user access to the Internet based on specific Web categories. More details here.