Microsoft Azure Stack Security – Part One – built upon a secure hardware infrastructure.

By Martin Zich, CISSP

Since Microsoft launched Azure Stack, the on-premise version of their popular public cloud platform, at Microsoft Ignite in 2017, customers have been showing a lot of interest in the possibilities of the platform, and not least due to the advanced security capabilities.

Azure Stack is an appliance-based solution, and Microsoft locks down and secures the environment out-of-the-box to ensure compatibility, stability and security. This means the user of the private cloud doesn’t need to worry about securing the underlying infrastructure, including the physical switches connecting the physical and virtualized servers, and can concentrate on the workloads supporting the core business functions.

3 m in security center, wall monitors.jpg

In the first of two blog posts, we will look at how Azure Stack deals with infrastructure security.

Secure infrastructure starts with the platform

The Azure Stack vision is to support multiple virtual machines (IaaS VMs) or PaaS solutions within a scale unit (or stack) which, when connected to another stacks, creates a region. Multiple regions will then form a cloud and will be operated by a single instance of the Azure Resource Manager (ARM).

Today it is only possible to deploy single scale unit within a region and single region within the Azure Stack cloud, whilst Microsoft continues to work towards fulfilling their vision. Each scale unit of the Azure Stack solution consists of several physical servers, Top of Rack (ToR) switches, and BMC switches. HPE, as one of the OEM partners delivering Azure Stack hardware, embeds security right into the hardware by supplying HPE ProLiant Gen10 servers.  

With HPE Gen10 Servers, HPE offers the first industry-standard servers to include a silicon root of trust built into the hardware. The silicon root of trust provides a series of trusted handshakes from lowest level firmware to BIOS and software to ensure a known good state. This helps Azure Stack customers to prevent, detect, and recover from cyber-attacks aimed at the server hardware. Together with UEFI and Secure Boot components, this ensures that only Microsoft certified OS, drivers and other components are allowed to run. Servers also contain a TPM 2.0 module which serves as sealed storage for all necessary crypto-material.

HPE also delivers the Hardware Lifecycle Host (HLH), a physical server within the Azure Stack deployment providing out-of-band hardware monitoring (fan speeds, temperature monitoring, etc.), updating (ToR and BMC switches) as well as the initial deployment of the Azure Stack infrastructure. Azure Stack typically ships with pre-installed HPE OneView with iLO Advanced for monitoring and managing the hardware, providing a familiar toolset for existing HPE server customers. 

Securing the operating system

Azure Stack infrastructure also contains a number of virtualized machines running a hardened version of Windows Server 2016, compliant with the Defense Information Systems Agency (DISA) Security Technical Implementation Guide (STIG). Windows Server 2016 includes the latest built-in security features such as Windows Defender Credential Guard (WDGC – protecting against credential mining), Windows Defender Device Guard (WDCG – application whitelisting), and Windows Defender antivirus and antimalware protection (including regular virus and malware signature updates). All infrastructure components communicate over encrypted channels (TLS 1.2, using the built-in PKI), authentication is ensured using certificates (both leverage the built-in Windows PKI) and authorization is provided by a system of Access Control Lists (ACLs). 

‘Break-the-glass’ security management principles

Most day-to-day administration happens in the Azure Resource Manager (ARM) portal which connects to the ARM REST API. Other ways to use the ARM REST API include Azure PowerShell, Azure CLI, or MS Visual Studio. However Azure Stack uses a Privileged Endpoint (PEP) to perform specific, less common tasks. The PEP follows the Just Enough Administration (JEA) model, which limits what the users can do by specifying which cmdlets and actions may be run. Every action is logged and audited. The PEP is used for the „break-the-glass“ emergency management, to perform specific low-level tasks, also for post-deployment integration tasks (i.e. setting up DNS forwarders and Active Directory Federation Services), and when working with Microsoft Support.

All infrastructure and tenant data is encrypted at rest using Bitlocker encryption (128-bit AES) which makes it resistant to physical loss of the Azure Stack components.

Security events generated within the infrastructure are centrally collected and made accessible through REST APIs. They can be integrated with third-party tools, such as SIEM, to help customers identify breaches. All the secrets within the infrastructure components are automatically rotated. Since the environment runs with a fixed configuration, tighter security controls can be used without any functionality concerns, for example when disabling legacy and vulnerable protocols such as NTLM, SMBv1, or older SSL versions. 


It’s important to understand the high-level security principles behind the Azure Stack platform. Whereas in a public cloud, the infrastructure security is entirely the provider’s responsibility, as per the shared responsibility model, with Azure Stack, the cloud-like experience is delivered with infrastructure running in your own data center or in a shared hosting facility that you have chosen.

Infrastructure isn’t the only thing to think about when considering Azure Stack security. In the second part of this blog we’ll be looking in more detail at how the virtualized user space is protected within Azure Stack.

In the meantime, if you’d like to discuss your security concerns in more detail, or hear how we’ve helped other customers making the transition to a secure hybrid cloud, please feel free to reach out to the HPE Pointnext security and risk management practice. We also invite you to attend one of the sessions of the HPE – Microsoft Hybrid Cloud Roadshow being held in 16 cities worldwide from March through May 2019. More information on the Roadshow and a list of cities are available here.

Featured articles:


medium_euzich1423.jpgMartin Zich is IT security advisory consultant, member of HPE Pointnext Worldwide Security and Risk Management practice, focused not only on information security and privacy in different environments and industries but also on overall cyber-defense and various solutions enabling its practical implementation. Apart from technical advisory he helps organizations to improve their IT security strategies, governance and to address various compliance requirements using IT security best practices.. 

About the Author


HPE Alliance Partners