Workload Security How the Public Cloud Changes Everything David Barter, Microsoft Practice Director Justin Gallagher, Solutions Architect #Cloudscape2017

Introductions David Barter Practice Manager, Microsoft Technologies & End User Computing More than 20 years of IT industry expertise—from break-fix technician to CIO Microsoft Virtual Technical Solution Professional and CIE Certified Justin Gallagher Solutions Architect, Microsoft Practice More than 10 years experience as an IT professional Microsoft Virtual Technical Solution

Azure Compliance and Data Privacy Data in the cloud is less secure. My own datacenter is the safest place for my data. I have no control over where my data is located. If I put data in the cloud I lose ownership over it. Azure Compliance and Data Privacy

Azure Regulatory Compliance Microsoft Maintains strict controls and compliance to a huge list of regulatory compliance programs. For any company who has had to comply with some of these regulations will attest these are not easy to achieve or maintain. In some cases the regulatory compliance here applies to Azure and/or other Microsoft services

Azure Regions and Data Centers When you deploy to Azure you select the region. If you choose to replicate data to a secondary region in most cases (SQL geo-redundancy and Azure Site Recovery) you get to pick the secondary region For storage replication each datacenter has a partner in the same regulatory region (US East to US West, Europe East to Europe West) https://azure.microsoft.com/en-us/regions/

Microsoft’s Stance on Customer Data "When it comes to the cloud, trust and security are paramount.“ – Satya Nadella, CEO of Microsoft “With Microsoft, you are the owner of your customer data” – Microsoft Trust Center “Microsoft does not share business customer data with our advertiser-supported services, nor do we mine it for marketing or advertising. ” – Microsoft Trust Center ISO/IEC 27018:2014 – includes a prohibition on the use of customer data for advertising and marketing purposes without the customer’s express consent. Microsoft has been very clear that your data belongs to you. They were the first cloud provider to be compliant with ISO 27018 with governs what they can do with your data. Microsoft has lead the fight in the industry against National Security Letters with gag orders so enterprise customers can be informed when Microsoft is forced to provide information to the government. I also want to point out that Microsoft has created a Digital Crimes Unit where they address many of the cyber security threats including identifying botnets and bringing legal action against them, responding to zero day threats like WannaCry and Petya.

Azure Networking Controls The public cloud is publicly accessible. Access to the Azure environment is over the public Internet, so it’s insecure I can’t use industry-standard firewalls in Azure Azure Networking Controls

Azure Networking Defense In Depth This concepts of Defense in Depth is not specific to cloud, it is becoming the standard security practice for all organizations and means that multiple layers of protection. In Azure you have Microsoft at the front end protecting workloads from DDoS attacks, you then control the public IP and endpoint access, behind that you have the ability to create micro-segmentation between virtual machines to provide even more protection. This is part of the shared security model. Microsoft provides platform security and you configure workload security.

Azure Network Connectivity Options When it comes to connectivity to an Azure deployment there are multiple approaches. One possible approach is connecting to the Azure workloads via the public internet however the recommendation for most companies is to create a private connection between you on premises environment and Azure This can be done in multiple ways but high level it is a Site to Site VPN connection or ExpressRoute which allows you to drop a leg of your MPLS into the Azure network. In both of these scenarios you can create an Azure environment that is completely private and requires workloads to go through your on premises systems.

Azure Network Connectivity Options

Azure Network Segmentation In a previous slide I mentioned microsegmentation and I wanted to point out an example of what this looks like.

Third Party Firewall Appliances In Azure Barracuda F-Series NGFW Cisco ASAv & FirePower Fortinet FortiGate Palo Alto NGFW …And many more One of the groups inside many companies who have the most concerns about the public cloud are the security group. Being able to provide a unified security plane across both on premises and the cloud is important In this way Azure IaaS can and should be treated as “Datacenter as a Service”

Virtual Machine Workload Protection A Cloud Virtual Machine is managed by the cloud provider Microsoft backs up my VM Microsoft provides for High Availability Virtual Machine Workload Protection

IaaS Shared Responsibility Model It’s important to understand what Infrastructure as a Service means. In this cloud computing model the physical systems and network connectivity is managed by Microsoft but the customer manages everything built on top of it. You can think of this as Microsoft managing the hypervisor and below. It’s VM as a Service

Protecting IaaS Workloads Install Malware Protection Install Updates Limit Public Exposure Backup & Disaster Recovery Availability Sets Azure Disk Encryption Just-in-Time VM Access Because of this many of the things on this list are best practices regardless of if you are on prem or in the cloud Malware protection, updates, limiting public accessibility However Azure provides integrated and innovative ways to do some of this. Backup and recovery is one example of this where backup and cross regional replication can be done with a couple clicks. Just-In-Time VM Access is another example of a new feature where you can setup a request process for enabling public ports for specific VMs

Monitoring & Logging I have less visibility and control of VMs in the cloud

Logging In Azure Audit Logs Performance Logs Application and Diagnostic Logs Virtual Machine Logs Platform Logs The sheer volume of logging available in the azure platform is overwhelming. Microsoft provides several tools to see the signal in the noise. One of the primary ways is Azure Log Analytics in Operations Management Suite. This is the native SIEM however there are ways to send logs to an on premises SIEM – Security information and even management For our GreenPages managed Services customers we use the Vistara platform which integrates directly into Azure and pulls data via API

Azure Monitor For performance and utilization there is Azure Monitor This is built into the Azure Portal and allows for simplified direct dashboarding of data. Custom dashboards can be shared within an azure subscription to provide a consistent view of the environment across team members.

Azure Security Center Another big value add is the Azure Security Center which will review an entire Azure subscription. It will report on security vulnerabilities, insecure configurations of VMs an other resource. The great thing about this is that it will not only recommend and direction on how to resolve the issue but in many cases make it as easy as clicking a button.

Azure Identity I can’t use my work credentials to access Azure I can’t control who does what in the cloud Azure Identity

Azure AD Connect All of the Microsoft Cloud (Azure and Office 365) use Azure Active Directory as it’s Identity and Authoriation provider. Microsoft Provides a free tool called Azure AD Connect that will synchronize Active Directory to Azure Active Directory creating a common username and password both on prem and in the cloud. Even beyond that Azure Active Directory and be integrated into a huge library of 3rd party SaaS products

Microsoft Hybrid Cloud Identity Models Azure AD has multiple models for how to setup identities and each of these models solves different challenges and has different risks. There are some new advancements to the Azure AD connect tool that allows for better user experience and security posture without requiring ADFS.

Azure Role Based Access Control When you talk about Azure the smallest unit we talk about are Resources To use the analogy of a File server Subscriptions are servers Resource Groups are folders And Resources are files In this way you can create granular controls at multiple levels that inherit permissions down You can also grant rights to perform only specific actions. Liking giving your DBAs rights to only database resources

Next Steps If you have an existing public cloud and want to ensure your solution is configured to best practices, GreenPages has offerings that can help assess and report on your environment. If you are new to the cloud, we have Cloud Workshops that are 4-5 day sessions where we review key concepts of cloud and deploy a proof of concept workload to the cloud with you.

Thank You Q&A David Barter David.Barter@logicsone.com Justin Gallagher #Cloudscape2017 Thank You Q&A David Barter David.Barter@logicsone.com Justin Gallagher Justin.Gallagher@logicsone.com