Bill Wilder Boston Code Camp #25 02-Apr-2016 (1:45 – 2:45) 17 Specific Azure Security Tips and Tricks

 Platinum  Gold  Silver  Bronze  In-Kind Donations

CTO 

Harrenhal Threats Change Over Time "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” Threat models CHANGE over time! Threats Change Over

“[Cloud security] is a shared responsibility between the customer and the cloud vendor.” Mark Russinovich, Microsoft Azure CTO

1. DDoS 2. Ransom demand 3. Security breach noticed 4. Fighting back 5. Malicious destruction of assets 6. Security & Business #fail “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.” Data plane (data access) vs. mgmt/control plane (Portal, APIs, PowerShell) ELAPSED TIME: 12 HOURS

RiskMitigation Internet Exposed RDP or SSH EndpointsNetwork ACLsNetwork ACLs or Host-based Firewall; Strong passwords; VPN or SSH TunnelsVPN Virtual Machine Missing Security PatchesKeep Automatic Updates EnabledKeep Automatic Updates Enabled; Web Application VulnerabilitySecuring Azure Web ApplicationsSecuring Azure Web Applications; Vulnerability scan/penetration testVulnerability scan/penetration test Weak Admin/Co-Admin CredentialsAzure Multi-Factor AuthenticationAzure Multi-Factor Authentication; Subscription Management CertificateSubscription Management Certificate Unrestricted SQL EndpointAzure SQL Firewall Storage Key DisclosureManage Access to Storage Resources Insufficient Security MonitoringAzure Security and Log ManagementAzure Security and Log Management; (Slide from Mark Russinovich’s talk at RSA 2015) w01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf

1. Research & Development – “Microsoft invests >$1B dollars in security R&D, every year.” –Satya Nadella, CEO, MicrosoftMicrosoft invests 2. Microsoft Acquisitions – Adallom, Aorato, others Microsoft

Protecting the Management/Control

Demo: MFA: Management/MultifactorVerification.aspx Management/MultifactorVerification.aspx Demo: App Passwords: Management/MfaSettings.aspx Management/MfaSettings.aspx Demo: App Password Configuration: Passwords.aspx

1. v1: HTML 2. v2: Silverlight 3. v3: back to HTML Today known as “classic” portal 4. v4: back to Silverlight (Just kidding) really HTML 5 More granular security: RBAC

Co-Admin only option on Classic Portal RBAC only available on portal.azure.com New portal support not 100% Demo: Add a Reader to Azure SQL DB Server Resources:

RBAC only available on portal.azure.com Co-Admin at Subscription level Subscription for “anything goes” env (like for dev collaboration) Subscription, Resource Group, or Resource in Azure: us/documentation/articles/resource-group-lock-resources/

Authentication &

Use same AAD where makes sense across Azure Office 365 Visual Studio Team Services Windows 10 (Intune) Third-party applications (e.g.,

Not just across Azure, Office 365, … Demo: Custom App SSO with

Demo: Custom App SSO with AAD, but with no code in the

Demo: Custom App SSO with

Demo:

Azure Web App Certificate & Credential

Demo: Show DB Connection String setting in portal Demo: Show where to upload SSL Certificate to Azure SNI support has tipped Enforce SSL connection - us/documentation/articles/web-sites-configure-ssl-certificate/#4-enforce-https-on-your-app us/documentation/articles/web-sites-configure-ssl-certificate/#4-enforce-https-on-your-app Let’s Encrypt -

SQL

Demo: SQL DB Server Database Level:

Dynamic Data Masking: us/documentation/articles/sql-database-dynamic-data-masking-get-started/ us/documentation/articles/sql-database-dynamic-data-masking-get-started/

Demo: Transparent Data Encryption Server-side Always Encrypted: us/updates/public-preview-always-encrypted-for-azure-sql-database/ us/updates/public-preview-always-encrypted-for-azure-sql-database/

Blob Storage & Azure Key

TDE: us/documentation/articles/storage- service-encryption/ us/documentation/articles/storage- service-encryption/ General (Excellent) Resource: us/documentation/articles/storage- security-guide/ us/documentation/articles/storage-

AKV: us/documentation/articles/key-vault- whatis/ us/documentation/articles/key-vault-

var resolver = new KeyVaultKeyResolver(GetAzureKeyVaultAccessToken); var rsaKey = await resolver.ResolveKeyAsync(keyId, CancellationToken.None); var uploadOptions = new BlobRequestOptions { EncryptionPolicy = new BlobEncryptionPolicy(rsaKey,… RequireEncryption = true }; var blob = container.GetBlockBlobReference(fileName); await blob.UploadFromByteArrayAsync(content, 0, content.Length, null, uploadOptions, null);

More Blob Storage & Azure Key

Disaster Recovery and Business

Networking & Perimeter

Virtual

Privacy &

Security vs. Compliance Microsoft, Azure, Azure Government strong compliance story Microsoft us/TrustCenter/Compliance/ us/TrustCenter/Compliance/ Privacy Dublin Microsoft (+10 amicus briefs) fighting a US Gov’t SCA extra-territorial subpoena for customer data in Dublin (since 2013) Data Trustee Model “German data trustee, Deutsche Telekom, will control and oversee all access to customer data” for /11/11/45283/ Compliance

@codingoutloud

Last One – the

Azure Security Center is a Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real-time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been

1. Threat Intelligence Sources – Informed by ML/DS on global properties like Xbox, Halo, Skype, Office 365, Azure, Bing, Windows services, Windows phones, etc. 2. Azure Security Center Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real- time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been

“A little magic can take you a long way.” Roald Dahl, Author James and the Giant

It is a “Partnership” Not “turning over” all security to cloud vendor You can hold data encryption keys Vendor: infra; You: your apps; SaaS >PaaS >IaaS >OnPrem OWASP Top 10 not solved App security holes port cleanly to cloud! Log Analysis (SIEM), WAF, IP/AAD lockdown, … Breach _

Harrenhal Threats Change Over Time "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” Threat models CHANGE over time! Threats Change Over

Bill blog.codingoutloud.com linkedin.com/in/billwilder Find this slide deck here See you at Boston Azure bostonazure.org