BRK3490
Cybersecurity concerns persist Global attacks are increasing and costs are rising Cybercrime extracts between 15% and 20% of the value created by the Internet. 1 Total financial losses attributed to security compromises increased 34% in In the UK, 81% of large corporations and 60% of small businesses reported a cyberbreach in the past year. 2 Impact of cyber attacks could be as much as $3 trillion in lost productivity and growth. 4
Security Development Lifecycle & Operational Security Assurance Network, Identity and Data Isolation Data Protection – Data Encryption and Key Management Least Privilege / Just-in-Time (JIT) Access Respond Protect Auditing and Certification Live Site Penetration Testing Fraud and Abuse Detection Centralized Logging and Monitoring Detect Breach Containment Coordinated Security Response Customer Notification Vulnerability / Update Management
Data protection Azure provides customers with strong data protections – both by default and as customer options 6 Data isolation Logical isolation segregates each customer’s data from that of others is enabled by default. In-transit data protection Industry-standard protocols encrypt data in transit to/from outside components, as well as data in transit internally by default. Data redundancy Customers have multiple options for replicating data, including number of copies and number and location of replication data centers. At-rest data protection Customers can implement a range of encryption options for virtual machines and storage. Encryption Data encryption in storage or in transit can be deployed by the customer to align with best practices for ensuring confidentiality and integrity of data. Data destruction Strict standards for overwriting storage resources before reuse and the physical destruction of decommissioned hardware are by default.
Data In Transit – Encryption Options Microsoft: Azure Portal Encrypts transactions through Azure Portal using HTTPS Strong Ciphers are used / FIPS support Import / Export Only accepts bitlocker encrypted data disks Datacenter to Datacenter Encrypts customer data transfer between Azure datacenters Customers: Storage Choose HTTPS for REST API for Storage N-Tier Applications Encrypt traffic between Web client and server by implementing TLS on IIS Data in transit between a user and the service Protects user from interception of their communication and helps ensure transaction integrity Data in transit between data centers Protects from bulk interception of data End-to-end encryption of communications between users Protects from interception or loss of data in transit between users
Azure Key Vault Authentication to Key Vault Azure Data Encryption - Data at Rest Azure Disk Encryption - Partner Volume Encryption – Virtual Machines – Windows and Linux Transparent Data Encryption - Cell Level Encryption - Always Encrypted SQL Server and SQL Database Application Level Encryption - Cloud Integrated Storage - Azure Storage – Blobs, Tables, Queues HDInsight – HDInsight Azure Backup Service – Azure Backup Service Keys ManagementKeys Management
Machine Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage Protection elements Access control: Customer control access to the keys/secrets in their key vault Monitoring and Logging: Customer collect logs in their storage account Data Security and Availability: Disks are stored encrypted in customer storage account and are automatically replicated by Azure storage Azure storage Encryption Scenarios New VM’s from Customer Encrypted VHD’s New VMs from Azure Gallery Running VM/s in Azure Encryption Scenarios New VM’s from Customer Encrypted VHD’s New VMs from Azure Gallery Running VM/s in Azure
Portal/API HOST 1.Customer uploads Encrypted VHD to their Azure storage account 2.Customer provision encryption key material * in their key vault and grants access to platform to provision VM 3.Customer opt into enabling disk encryption. 4.Azure service management updates service model with encryption and key vault configuration 5.Azure platform provision encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] AAD AAD token Azure Storage Customer Key Vault Virtual Machine Encrypt Me Service Management Config Customer Disks Read VHD Read Key Provision Encrypted VM
Portal/API HOST 1.Customer opt into enabling disk encryption and Customer grant access to Azure platform to provision encryption key material * in their key vault 2.Azure service management updates service model with encryption and key vault configuration 3.Azure platform provision encrypted VM * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] AAD AAD token Azure Storage Customer Key Vault Virtual Machine Encrypt Me Service Management Config Upload Key Provision Encrypted VM
Secrets like BitLocker Encryption Keys [BEK] or Linux PassPhrase are stored protected in customer control in their key vault container Secrets are encrypted by customer controlled Key Encryption Key [KEK – RSA 2048] Customer grant [explicit] Read or Write access to their key vault container to Azure to enable disk encryption Customer specify key vault uri to allow access to Azure to their keys and secrets Azure do not have ANY default access to customer key vault for disk encryption feature Microsoft Confidential SecretKeys Contoso.BEK [encrypted by ContosoKEK] – BitLocker Windows ContosoPassPhrase [encrypted by ContosoKEK] – Linux ContosoKEK
Storage – Cloud Integrated Storage Hybrid Applications – Windows Server Data Snapshots Data Encrypted on-premise and backed up in Azure AES 256 Encryption and Integrity Protected with SHA- 256 Hashes
Encryption Options: Transparent Data Encryption (TDE), Cell Level Encryption (CLE) SQL Server Encrypted Backups Always Encrypted SQL Server Extensible Key Management (EKM) provider shifts encryption master keys to external key manager Separation of duties between data and key management Azure Key Vault as an EKM SQL Server Connector enables Azure Key Vault use as an EKM Customer owned Encryption Master Keys in software or hardware (FIPS Validated HSM) Vault SQL Server On-prem / Azure VMs
Key Vault Service Azure Active Directory SQL Server Admin Security Operations Auditor SQL Server Connector 1. Register SQL Server instance 2a. Create Vault 2b. Create Master Key 2c. Give SQL Server Access to Vault 4. Authenticate 3. Configure SQL Server Encryption 5. Protect Keys 6. Audit Key Usage (coming soon)
Microsoft Azure IaaSSaaSPaaS Microsoft Azure Key Vault Microsoft Confidential Import keys HSM Key Vault Microsoft Confidential
Monitoring Encrypt keys and small secrets like passwords using keys stored in tightly controlled and monitored Hardware Security Modules (HSMs) Import or generate your keys in HSMs for added assurance - keys never leave the HSM boundary Comply with regulatory standards for secure key management, including the US Government FIPS Level 2 and Common Criteria EAL 4+ Monitor and audit key use through Azure logging – pipe logs into HDInsight or your SIEM for additional analysis (coming soon) Enhance data protection and compliance Manages keysDeploys applicationMonitors access to keys Creates a Key Vault. Adds keys, secrets to the Vault. Grants permission to specific application(s) to perform specific operations e.g. decrypt, unwrap. Enables usage logs Tells application the URI of the key / secret Application program uses key, secret (and may abuse) but never sees the keys Reviews usage logs to confirm proper key use and compliance with data security standards
Azure Key Vault Authentication to Key Vault Azure Data Encryption - Data at Rest - Recap Azure Disk Encryption - Partner Volume Encryption – Virtual Machines – Windows and Linux Transparent Data Encryption - Cell Level Encryption - Always Encrypted SQL Server and SQL Database Application Level Encryption - Cloud Integrated Storage - Azure Storage – Blobs, Tables, Queues HDInsight – HDInsight Azure Backup Service – Azure Backup Service Keys ManagementKeys Management
Is my data gone? Retention/backup Abandoned Data – Data retained for 90 days and available if customer comes back, then subsequently deleted Customer Deletion – Delete data at anytime Is my data really gone? Destruction? Defective Disks – Destroyed on-site Decommission – Azure follows DoD data wiping standards
All data is encrypted, though not done yet Fundamentals are key! Mitigate risk of compromised accounts Multi-Factor Authentication (Azure MFA / Windows Server ADFS) Limit excessive permissions – least privilege Azure AD Role Based Access Control (RBAC) Azure AD Privileged Identity Management (temporary/’JIT’ access controls) Detect insider compromise or abuse of privileges Azure auditing and logging Azure AD anomaly detection and analysis
Compromised accounts Accounts with weak authentication methods (passwords) can be compromised (e.g. spear- phishing) Secure your user accounts with Azure MFA Can be used with Azure Active Directory or Windows Server Active Directory Federation Services (ADFS) Provides a second factor (e.g. phone or device) as a second factor Secure your user accounts with Smart Cards with Windows Server ADFS & AAD Use your existing PKI (Smart Card, Virtual Smart Card) to secure accounts by using Azure AD accounts federated to your on premises infrastructure
1 2
Limiting Permissions Permissions to sensitive data should follow ‘least privilege’ principal – only grant access necessary for role. Azure RBAC (20 built-in roles, custom coming soon) General: Readers, Contributors, Owners Resource Specific: e.g. VirtualMachine-Contributor, SQLDB Contributor … Assign Users, Groups, and Service Principals Key Vault Access Control Very fine grained access controls to key vaults for user and service principals Create, verify, sign, wrap/unwrap, etc. (able to enforce segregation of duties)
Azure Role Based Access Control Assign roles to users and groups at subscription, resource group, or resource level Assignments inherit down the hierarchy Use built-in roles with pre-configured permissions 20 built-in roles Create custom roles (coming soon) Subscription Reader Contributor Owner
RBAC Example Resource Group == EmployeeBenefitsApp - Virtual Machines, SQL DB, Storage Accounts EmployeeBenefitsApp Role Assignments - Owners == HR IT Admins - Contributors == HR IT DevOps Team - Readers == HR Benefits Team
Discover current admin permissions in one view Set temporary authorization policies for Azure AD management roles Global, billing, password, service, and user administrators can use PIM Collect justification & work item reference for every elevation/activation Coming soon – support for Azure RBAC
NO PURCHASE NECESSARY. Open only to event attendees. Winners must be present to win. Game ends May 9 th, For Official Rules, see The Cloud and Enterprise Lounge or myignite.com/challenge