CHAPTER 1

Microsoft Azure and Cloud Computing

What Is Microsoft Azure?

Microsoft Azure is an overarching brand name for Microsoft’s cloud-computing services. It covers a broad, and still growing, range of services that often form the foundational elements of cloud computing.

If you are reading this book, chances are that you are an information technology (IT) professional and have some basic knowledge of Azure. This book was written for the IT professional interested in using cloud-computing services. Some of the topics that may interest you include lowering operating costs, increasing agility, developing better disaster recovery (DR) strategies, accessing unlimited storage, and foregoing responsibility for future hardware refreshes.

Although Azure is considered a fairly new cloud service, it has grown by leaps and bounds in terms of capabilities and offerings during its brief history. Azure is also so diverse that it is not uncommon for IT professionals to be familiar with only a specific subset of Azure services.

The Azure/Office 365 Connection

Azure was introduced as Windows Azure in 2008. Prior to 2008, Microsoft primarily focused on another cloud service that was well known as Business Productivity Online Standard Suite (BPOS). BPOS consisted of Exchange 2007, Microsoft Office SharePoint Server 2007, Office Communications Online, and Microsoft Office Live Meeting. In 2011, Microsoft rebranded BPOS to Office 365. Office 365 is a software as a service (SaaS) offering that provides customers with access to Microsoft’s top productivity tools without having to implement and maintain significant on-premises infrastructure. Office 365 delivers Exchange Online to provide turnkey e-mail services, SharePoint Online to provide collaboration capabilities, Lync Online for instant messaging (IM) and virtual meeting spaces, and Office Pro Plus for productivity tools for desktop and mobile users.

In order to provide SaaS capabilities for customers, Microsoft had to build datacenters to host the BPOS and then Office 365 productivity suite offerings. The datacenter infrastructure is provided and managed by a special team within Microsoft known as Global Foundation Services (GFS). As a result, customers now have the option to use Microsoft’s productivity and collaboration tools without the added complexity of managing them.

Other core benefits of Office 365 are its scalability, high availability, and associated service-level agreement (SLA). Providing these requires more datacenters, geo-redundancy (redundant services in different geographic regions), and a highly trained operational workforce. The investment made by Microsoft in GFS is beyond the means of many organizations. As a result, even small businesses can now enjoy enterprise-level SLAs and performance.

Anyone who has installed and configured Exchange, SharePoint, or Lync on-premises knows there are myriad required dependent technologies. Active Directory services for identity management is one such technology. To ensure that the services are performing well, monitoring tools such as System Center Operations Manager are required. To provide Office 365 subscribers with unlimited OneDrive for business storage space, a vast and comprehensive storage solution had to be adopted by GFS. Remember too that these services and benefits need to be cost competitive, so economies of scale and efficiency of operations are important topics that Microsoft and GFS continuously need to manage.

It is well known that the birth of cloud computing resulted from the realization that it is possible to monetize excess computing capabilities. What differentiates Azure is that it was built specifically to provide cloud services. It is not the result of excess computing capabilities that were designed for other purposes. It was designed from the ground up to support Office 365. Because other non-Office 365 services can take advantage of foundational services, such as Active Directory, Azure makes acquiring these services possible.

IaaS, PaaS, and SaaS

We have identified Microsoft Office 365 as a SaaS. Other types of cloud services are classified as infrastructure as a service (IaaS) or platform as a service (PaaS).

Because Azure provides computing power for Office 365 foundational services, such as Active Directory, it is easy to identify the IaaS nature of Azure. In fact, Azure is most recognized for its IaaS offering. Examples of Azure IaaS offerings include Azure virtual machines and virtual networks, Azure storage solutions, and Azure recovery services. However, Azure is most often mistaken to be only an IaaS, when in fact it has a large portfolio of PaaS offerings. Examples of its PaaS offerings include Azure SQL Database, Azure websites, Azure Content Delivery Network (CDN), Azure BizTalk Services, and Azure Mobile Services.

As you can see, the Azure portfolio of services is much more significant than better-known Office 365 SaaS offering. Subsequent chapters cover key Azure services. For now, the important takeaway is that, as far as cloud computing goes, Microsoft has demonstrated that it is betting its future as a cloud-computing services provider. No other technology company has the combination of mature technologies, infrastructure, and financial commitment to package a complete SaaS, IaaS, and PaaS offering. In fact, with the changing of the guard in Microsoft’s corner office, CEO Satya Nadella has made cloud computing part of the company’s mission—mobile first, cloud first. It also helps that Mr. Nadella was the executive responsible for inventing and developing the Azure business.

When Microsoft reported its earnings for the quarter ending September 2014, cloud-computing services grew by 128% over the previous year, and they contributed to the bulk of the company’s $14.93 billion in revenue.

These developments are important if you are shopping for an IT partner to provide cloud-computing services, because you are handing off a very important piece of your IT operations. Knowing that a company has built its comprehensive cloud-computing services from the ground up and that it has a strong financial portfolio, has leadership committed to the service, and is an industry leader should buoy the confidence of any CIO making this decision.

Security, Compliance, and Privacy

As a service offering, Azure is a follow-up act to Microsoft Office 365. This is important because Microsoft implemented many industry-required security standards and regulatory compliance requirements when building the Office 365 business. Furthermore, through Office 365 operations, Microsoft has built a cloud-specific, service-oriented organization to address operational requirements including sales and licensing, incident management, and customer support.

For Office 365, Microsoft introduced the concept of a Trust Center. A Trust Center is Microsoft’s one-stop shop on the Web for all things related to security, compliance, certifications, SLA metrics, and privacy. It is basically everything a customer needs in order to trust a service. Therefore, like Office 365, there is a Trust Center for the Azure cloud service, known simply as the Microsoft Azure Trust Center (http://azure.microsoft.com/en-us/support/trust-center). Figure 1-1 shows the Microsoft Azure Trust Center.

Addressing Security

Microsoft adopted a multipronged approach when it comes to addressing security in the Azure platform. In addition to standard 24×7 monitoring of the service, other core elements of the approach are discussed in the following subsections.

Using Existing Resources across the Organization

Instead of reinventing the wheel, Microsoft used and enhanced existing resources to secure Azure. By relying on the combined experiences of the Digital Crimes Unit , the Malware Protection Center, and Microsoft Research, and with visibility to security threats on a global scale through services such as Windows Update, Xbox Live, and Office 365, Microsoft is in a great position to have early knowledge to address threats. Microsoft has also proven to be relentless in prosecuting hackers and shutting down rogue hosting providers.

Adhering to an Evolving Security Development Life Cycle

Microsoft aggressively patches its cloud-computing platform and has been following a disciplined Security Development Life Cycle (SDL) that was introduced in 2004 to develop more secure code. Because Microsoft is the developer of nearly the entire technology stack, from the Hypervisor on up, the company is in the best position to be agile in making code changes. Microsoft engineers have been trained to adopt an “assume a breach” mindset and to address potential issues aggressively.

Machine Learning

One of the most interesting approaches to security is Microsoft’s use of machine learning (ML). Machine learning is based on complex algorithms developed by Microsoft Research, and it serves three purposes:

• It is used as the technology that drives consumer services like Xbox, Bing, and Cortana.
• As an Azure service, it allows customers to use it to mine data.
• It is used as the technology that mines data and logs to identify threats.

Microsoft also uses rules to trigger suspicious activities. For example, if a user logs in successfully from Singapore and then attempts to log in from Seattle a few minutes later, this triggers a security event. Even though this could technically be accomplished via remote access, the security event is still triggered because of the “assume a breach” mentality.

Previewing New Security Features

Another practice adopted by Microsoft is involvement of the user community. This began with the early preview program for the Windows desktop OS, much like the Windows 10 preview program in place at the time of this writing. This practice has been extended to the introduction of new features in the Azure platform, including those related to security. Figure 1-2 shows new security features being previewed in Azure Active Directory at the time of this writing.

Penetration Testing

Penetration testing is a standard part of any robust security program. As part of standard operations, Microsoft conducts regular penetration tests against the Azure platform. Moreover, the program goes a step further by incorporating a white hat feature that allows customers to conduct their own penetration testing. Customers are required to agree to the terms of penetration testing, submit a request form, and receive approval before conducting such tests. The terms and the request form can be found on the Microsoft Azure Trust Center or at https://security-forms.azure.com/penetration-testing/terms.

Certifications and Industry Standards

Azure is also built to meet industry standards for IT and specifically for cloud-computing services. Industry-recognized certifications have been obtained for Azure, including the following:

• ISO 27001/27002
• SOC 1/SSAE 16/ISAE 3402 and SOC 2
• Cloud Security Alliance CCM
• PCI DSS Level 1

Azure is also certified by international standards because it is a global service. Examples of international certifications for Azure include the following:

• United Kingdom G-Cloud
• Australian IRAP
• Singapore MTCS
• EU Model Clauses

Prominent industry-specific certifications are also applicable to Azure, such as these:

• HIPAA
• Food and Drug Administration 21 CFR Part 11
• FERPA

The full list of certifications for the Azure platform is located at the Microsoft Azure Trust Center: http://azure.microsoft.com/en-us/support/trust-center/compliance.

Certifications govern the suitability of Azure for specific industry use, and they form the basis of customer trust. Third-party auditors, who are recognized by the certification bodies, independently verify each certification. There is also a requirement for recertification and periodic audits to ensure compliance with all certifications.

Microsoft is a member of the advisory committees of many of the certification bodies, and it provides feedback and recommendations on proposed changes. This allows Microsoft to have visibility into many upcoming changes in order to incorporate them into the Azure platform in a timely manner.

Microsoft Azure Government

Shortly after Office 365 debuted, Microsoft realized that there are specific requirements unique to government entities. This was initially most applicable to the United States federal government and extends to US state and local governments that interact and share data with the federal government. As such, the concept of a US government-only cloud was conceived, which led to the release of the Office 365 Government Community Cloud (GCC). Customers under the Office 365 GCC model must be US federal, state, or local government entities. Today, there are separate GCCs for non-US governments.

Like Office 365, Azure was initially released as a public cloud platform; but in October 2014, Microsoft Azure Government, which is the government edition equivalent to the GCC, was soft-launched for a select number of early government customers. On December 9, 2014, Microsoft publicly announced the general availability of Azure Government. It is considered a rolling deployment, and although not all capabilities and services in Azure are available in Azure Government, there is a roadmap to identify when a capability becomes available.

For more information about Azure Government, check out http://azure.microsoft.com/en-us/features/gov/.

Azure Government is significantly different from other cloud services providers because it specifically addresses technical and mandatory regulatory requirements, such as

• FedRAMP
• FISMA
• FBI Criminal Justice Information Systems (CJIS)

Often, these government-specific requirements make it difficult for cloud services providers to scale up. They may also make it riskier for cloud services providers because of special SLAs and compliance requirements that can cause providers to be penalized for noncompliance. For example, the FBI CJIS standard requires that the cloud service provider’s personnel be background-checked and fingerprinted. At the time of this writing, Azure Government is the only major service that can meet all the requirements in FBI CJIS.

Privacy

Microsoft strongly believes in customer privacy and that content in Azure belongs to the customer. Microsoft draws a clear line separating consumer services from enterprise services, with Azure falling in the latter category where no customer data is mined, sold, or shared with marketers or third-party partners.

Microsoft also promotes privacy by making sure it is transparent about how information is managed. For example, Microsoft published a white paper entitled “Protecting Data and Privacy in the Cloud” to explain how it handles privacy as it relates to cloud-computing services. Microsoft also publishes its datacenter regions, and it goes into detail regarding if, when, and how data is transferred between regions.

When it comes to privacy, the European Union (EU) has the most stringent requirements to govern the handling of personal data, as extensively covered under the EU Data Protection Directive (95/46/EC). Microsoft adheres to the US-EU Safe Harbor certification, which allows data to be transferred outside of the EU to Microsoft for processing purposes.

The Microsoft Azure Trust Center has a section on privacy at http://azure.microsoft.com/en-us/support/trust-center/privacy.

It is a good practice to search the Microsoft Azure Trust Center and set a favorite for the important information you find. This simple approach has been one of the best practices adopted by Microsoft, and it helps to provide answers quickly to many of the questions that contribute to the uncertainty of adopting a cloud-computing service.

Why Microsoft Azure?

Now that you have a basic understanding of Azure and a sense of how it meets security, regulatory compliance, and privacy requirements, the next question is, “Why Microsoft Azure?”

The bigger question, though, is “Why cloud computing?” The promise of cloud computing, regardless of whether it is of the SaaS, IaaS, or PaaS variety, is the ability to use economies of scale to drive down the costs associated with IT operations. It also allows any organization to achieve a high degree of availability and resiliency at a truly geo-redundant level.

Furthermore, the highly elastic nature of cloud computing provides customers with the ability not only to scale up in real time, but also to scale down when services are not needed, ultimately paying only for utilization. Acquiring hardware and software in the traditional way meant being able to meet peak utilization, if scoped correctly, but it also led to idle usage most of the time.

Cloud computing provides all the attributes to maximize the efficiency of IT operations from a financial standpoint as well as from a service-delivery standpoint. Azure possesses all of these attributes, with the added benefit of being fully integrated into the Office 365 SaaS offering, thereby making Microsoft one of the most comprehensive providers of cloud-computing services.

The Azure Portal

The Azure Portal, or simply the Portal, is the web management interface for all Azure resources. At the time of this writing, the web address of the Portal is https://manage.windowsazure.com. You see the Portal referenced extensively in this book, because this is how you manage Azure.

How Azure Is Licensed

Before embarking on a discussion of licensing, you need to become familiar with two Azure terms: Azure account and Azure subscription. These are the logical containers that differentiate one customer from another.

Azure Accounts

As the name implies, an Azure account is the first step to acquiring Azure services. The Azure account requires a unique identity known as the Microsoft Azure account name. This name uniquely identifies a particular customer, and there is usually a one-to-one relationship between the customer entity and the account name.

There are three ways to set up an Azure account:

• By creating a new Microsoft account or use an existing Microsoft account
• Via an Enterprise Agreement (EA)
• Via an existing Office 365 tenant

Creating an Azure Account

You can use a Microsoft account, formerly known as a Microsoft Live ID, to create a new Azure account. Follow these steps to sign up for an Azure account with a Microsoft account. We assume that you already have a Microsoft account or know how to sign up for one, so we do not go through those steps here.

Going through the previous steps creates a unique Azure account name. You can determine the Azure account name by following the steps in the next exercise.

If instead of using a Microsoft account your organization purchases Azure through an Enterprise Agreement, your Microsoft account team will help you sign up for an Azure account.

If your organization already has an Office 365 subscription, you can create an Azure account based on the same tenant name as your Office 365 subscription. Follow the steps in the next exercise to create an Azure account based on an existing Office 365 tenant.

Azure Subscriptions

We just walked you through the process of adding a subscription in the previous section. Once you have an Azure account, you need to add one or more Azure subscriptions to the account.

As mentioned earlier, Azure is a collection of many cloud-computing services. As such, each service may have its own licensing and utilization model. For the services covered in the following chapters, a section addresses licensing issues and costs specific to that Azure service. However, as an introduction, it is sufficient to know that there are primarily three types of utilization models in Azure:

• Azure pay-as-you-go via credit card
• Azure monetary commitment
• Azure Client Access Licenses (CALs)

Depending on the type of Azure service, one or more of these models will be applicable.

An Azure subscription is the primary consumption vehicle for Azure services, which are charged based on utilization. An example of Azure utilization is Azure virtual machines (VMs). Azure VMs are charged based on uptime. Another example of an Azure service that is billed based on use is storage.

The pay-as-you-go option via credit card, as the name implies, allows services such as Azure VMs to be charged to a credit card on a monthly basis. When you create Azure VMs, you can pick the specific Azure subscription against which such use is billed. You see this throughout the book as you create different Azure services.

Azure monetary commitment is designed for large enterprises to pay for Azure services on an annual basis. This is usually tied to an EA, which is also renewable on an annual basis. Such an organization estimates its use for the year and pays that amount as part of the EA renewal. Once a monetary commitment subscription has been created, Azure services can start drawing down from that subscription amount. Azure monitors daily consumption trends to determine whether there are enough funds in a monetary commitment subscription to last until the annual renewal date. If not, the global and billing administrators are notified, and the organization can add funds to the Microsoft subscription. This simplifies billing and facilitates budget planning and allocation for enterprises.

However, not all Azure services are based on consumption. Some Azure services are based on traditional server licensing or CALs. Examples of Azure services that rely on the CAL model are Azure Active Directory (AAD) Premium and the Enterprise Mobility Suite (EMS). To use such services, a customer pays only for the required licenses. All Azure license-based services are subscriptions, and they are usually priced per user or instance per month. Later chapters cover services such as AAD Premium and EMS.

Multiple Azure Subscriptions

Azure’s ability to support multiple subscriptions per Azure account makes it easier to do separate billing. This is especially useful in bill-back scenarios.

When you have multiple Azure subscriptions in your Azure account and have created different Azure resources that consume against their respective subscriptions, you can use the subscription filter to display only the resources associated with any of the subscriptions. The subscription filter is located in your Azure Portal, as shown in Figure 1-15.

Scoping Azure

Now that you understand the concept of Azure accounts and subscriptions and have worked through the exercises to create them, it is time to determine how many Azure resources you consume. Under the pay-as-you-go model, you want to forecast your charges. Under the monetary commitment model, you need to know how much to commit for the upcoming year. Therefore, you need a way to come up with an estimate.

If you are an Enterprise customer and have a Microsoft account team, you can work with the account team to come up with that estimate. If you do not have an account team assigned to your organization, you can work with a Microsoft Certified Cloud Services partner or use the Azure Pricing Calculator.

Accessing the Azure Pricing Calculator

The Azure Pricing Calculator is located at: http://azure.microsoft.com/en-us/pricing/calculator. You can also access it from the Portal by following these steps:

1. Log in to the Portal at https://manage.windowsazure.com.
2. Expand the Microsoft Azure menu by clicking the chevron next to the Microsoft Azure logo at top left, as shown in Figure 1-16.

   

   Figure 1-16. Expanding the Microsoft Azure menu

3. Select Pricing from the expanded menu, as shown in Figure 1-17.

   

   Figure 1-17. Select Pricing from the expanded menu

Using the Azure Pricing Calculator

The Azure Pricing Calculator is intuitive and easy to use. You can select from the different Azure service categories, such as web sites, VMs, storage, and so on, along the top. Figure 1-18 shows the Azure Pricing Calculator.

Once you have selected a category, the options for that category are displayed. Use the sliders next to an Azure resource to determine the number of units that you require.

Summary

This chapter was designed to get you started with Microsoft Azure. It introduced you to the various Azure services and how this cloud-computing platform addresses security, regulatory compliance, and privacy concerns.

You were also introduced to key Azure technologies, such as the Azure Portal, Azure accounts and subscriptions, and the different ways that Azure services can be billed. Finally, we introduced the Azure Pricing Calculator as a tool to assist you in estimating how much Azure services will cost you.

Chapter 2 introduces the different Azure Services. Later chapters explore some of these services in greater detail, including use-case and deployment scenarios.