Secure your Application Server using Azure Trusted Launch

Protecting application servers is highly essential, and it becomes much more crucial when application servers are hosted in a public cloud environment. Azure's trusted launch provides an easy method for improving the security of generation 2 virtual machines (VMs). The trusted launch feature offers protection against more sophisticated and persistent attack methods. Trusted launch is made up of a number of different infrastructure technologies that work together but may be used on their own if necessary. Each piece of technology adds another line of protection to the overall defense against complex dangers.

With Trusted Launch, you can

1. Deploy virtual machines in a secure manner by verifying their boot loaders, operating system kernels, and driver files.
2. Maintain the virtual machines' keys, certificates, and confidential information in a safe and secure environment.
3. Acquire new insights and increase your trust in the authenticity of the whole boot chain.
4. Ensure that the workloads can be trusted and verified.

You can always refer to the LIMITATION section of Microsoft's official documentation to get an updated list of VM sizes, supported OS, supported regions & features not supported.

Deploy Application server with

Trusted Launch

Trusted Launch needs new virtual machines to be set up. You can't turn on trusted launch for virtual machines that didn't have it when they were first created.

Secure Boot for VM is at the heart of trusted launch. This mode, which is built into the platform firmware, stops rootkits and boot kits that are made with malware from being installed. Secure Boot works to make sure that only operating systems and drivers that were signed can boot up. It gives the software stack on your VM a "root of trust." When Secure Boot is turned on, the boot loader, kernel, and kernel drivers must all be signed by trusted publishers.

The Trusted Launch also includes vTPM for Azure virtual machines. This is a virtualized implementation of a Trusted Platform Module that complies with the TPM2.0 specification. Its primary function is that of a dedicated and safe vault for storing keys and measurements.

Virtualization-based Security, also known as VBS, takes advantage of the hypervisor to generate a section of memory that is both secure and isolated. Through the use of Trusted Launch, Hypervisor Code Integrity (HVCI) and Windows Defender Credential Guard can be enabled.

Integration with

Microsoft Defender or Cloud

Microsoft Defender for Cloud is linked with Trusted Launch to guarantee that your VMs are correctly setup. Microsoft Defender for the Cloud will continuously evaluate compatible VMs and provide relevant suggestions. Microsoft Defender for Cloud may identify and notify you of VM health issues if your VMs are correctly configured for trusted launch.

Conclusion

This is a great feature to leverage to provide an additional layer of security for the application servers running in cloud.