One of my ex co-workers at Microsoft, Bruce Kyle, recently posted a 7 part blog series on Windows Azure Security Best Practices. Bruce wrote the series of articles for Microsoft ISVs (Independent Software Vendors). However, as I said in my recent InfoQ white paper, The Software as a Service Development Life Cycle, even non-ISVs should start thinking of themselves as providing IT as a service to their internal customers. So this series should be of interest to everyone designing and developing applications to run in Windows Azure. This is the best treatment of the subject that I have seen and it is chock-full of excellent references to other sources of security information.
Part 1 covers the potential threat attack vectors and defenses against them.
Since security is a shared responsibility Part 2 discusses how Windows Azure secures their platform services and what you need to do to carry out your responsibilities. It also includes a list of ten important things that you should know about Windows Azure security. It concludes with a discussion of Compliance and the certifications that Windows Azure components do (and do not) currently have.
Part 3 is dedicated to a continued discussion of your responsibilities concerning security. Starting with an Architecture approach it covers the Security Frame methodology defined by the Microsoft Patterns & Practices group as a way to identify and and mitigate any and all threats to your application running in Windows Azure.It includes several useful checklist for securing your Windows Azure application. It also covers lightly the Security Development Life Cycle that is used by Microsoft on all internal software development projects and that is recommended that customers follow in developing their applications.
Part 4 covers additional guidelines and best practices for securing your applications.
The subject of Claims-based Identity and Single Sign-On is the focus of Part 5. This incudes such topics as using Windows Identity Foundation to integrate on-premise Active Directory and Windows Azure security.
Part 6 continues the discussion with coverage of Active Directory and Windows Azure Access Control Services used to extend your on-premise security into the cloud. It also talks about using Windows Azure Connect to blend on-premise and in Azure applications in order to build hybrid applications. It wraps up with a brief discussion of the Windows Azure Service Bus, another Windows Azure service that you can use to build secure hybrid applications.
A bunch of additional miscellaneous best practices are covered in Part 7, the final part of the series. (So far )
I cannot recommend this series of articles highly enough. Everyone designing and/or developing applications to run in Windows Azure should read this series and the many references to other sources of information that it contains.