In the interview I did with Mark Russinovich last month (An Interview with Mark Russinovich on Windows Azure & Security), I asked Mark about customers doing penetration testing. Mark pretty much said it was ok as long as they were not attacking the platform, which is true. However, I have a quick point of clarification. If you do this you will want to notify the Microsoft (Ops and support) before you do this. There is some great information here: http://www.windowsazure.com/en-us/support/trust-center/security/
From that page:
Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes. We understand that security assessment is also an important part of our customers’ application development and deployment. Therefore, we have established a policy for customers to carry out authorized penetration testing on their applications hosted in Windows Azure. Because such testing can be indistinguishable from a real attack, it is critical that customers conduct penetration testing only after obtaining approval in advance from Windows Azure Customer Support. Penetration testing must be conducted in accordance with our terms and conditions. Requests for penetration testing should be submitted with a minimum of 7-day advanced notice.
To learn more or to initiate penetration testing, please download the Penetration Testing Approval Form and then contact Windows Azure Customer Support.
If you missed the interview you can see it here:
- [2:22] What’s going on in the security industry Landscape, what’s new and what’s changed and why?
- [6:53] What can we do in Azure IaaS to protect customers who improperly secure their servers with poor passwords and general bad security practices?
- [9:19] What mechanisms does Microsoft have in place in Azure to keep someone from leveraging large numbers of Azure VMs or roles to launch a DDOS?
- [11:23] How do we prevent attacks from tools like TSgrinder that try to use brute force access to a Remote Desktop?
- [14:49] What can we do to enable customers in Azure who need to have their data remain inside a countries borders?
- [16:30] Who do I call if I suspect that someone is taking advantage of or hacking into my Azure based VMs?
- [20:11] Is there a way for a customer to perform their own penetration testing on our Azure platform, or what method would you recommend for customers to test?
- [28:39] What’s next for you?