-by Eyal Estrin, Cloud Architect, Inter-University Computation Center (IUCC)
Additional fundamental Cloud Security concepts can be found here.

The goal of this post is to present a common case study for building a research environment in Azure.

Building an environment in the cloud involves several issues we need to take into consideration, such as how to access resources in the cloud, where and how to store data in the cloud, how to protect the infrastructure, etc.

Let’s consider the following architecture:

  • Researchers remotely connect to the cloud environment over the internet and connect to a Windows machine with data analytics tools
  • Original data sets will be stored using file storage
  • Output data will be processed in an Azure SQL database
  • Due to data sensitivity, data must be protected at all times

Here are some best practices for a research team to adopt using built-in Azure services:

Infrastructure

Network connectivity

  • Remote access to the cloud environment will be done using Azure Point-to-Site VPN
  • All resources will be located in a single Azure Resource Group, but the Windows VM and the Azure SQL database will be located in separate subnets
  • The Windows VM will be located in a DMZ subnet, and access to this subnet will be protected using Azure Network Security Group, for VPN authenticated clients on port 3389 TCP
  • The database will be located in a DB subnet, and access to this subnet will be protected using Azure Network Security Group, with access to Azure SQL port from the DMZ subnet only
  • Further explanations on Azure Network Security Groups can be found here: https://docs.microsoft.com/en-us/azure/virtual-network/security-overview

Database

Storage

Authentication

Auditing

Summary

In this post, I’ve explained how to use Azure services in order to build and maintain a secured research environment, keeping sensitive data secure while addressing all the specificed research requirements.