Presentation is loading. Please wait.

Presentation is loading. Please wait.

Bill Wilder Boston Code Camp #25 02-Apr-2016 (1:45 – 2:45) 17 Specific Azure Security Tips and Tricks.

Published byFrank Jacobs Modified over 8 years ago

Similar presentations

Presentation on theme: "Bill Wilder Boston Code Camp #25 02-Apr-2016 (1:45 – 2:45) 17 Specific Azure Security Tips and Tricks."— Presentation transcript:

1 Bill Wilder Boston Code Camp #25 02-Apr-2016 (1:45 – 2:45) 17 Specific Azure Security Tips and Tricks

2  Platinum  Gold  Silver  Bronze  In-Kind Donations

3 CTO 

4 http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Harrenhal Threats Change Over Time "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” http://gameofthrones.wikia.com/wiki/Harrenhal Threat models CHANGE over time! http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Threats Change Over Time @codingoutloud

5 “[Cloud security] is a shared responsibility between the customer and the cloud vendor.” Mark Russinovich, Microsoft Azure CTO https://www.rsaconference.com/writable/presentations/file_upload/exp- w01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf @codingoutloud

6 1. DDoS 2. Ransom demand 3. Security breach noticed 4. Fighting back 5. Malicious destruction of assets 6. Security & Business #fail https://aws.amazon.com/iam/details/mfa/ @codingoutloud “Code Spaces has a full recovery plan that has been proven to work and is, in fact, practiced.” Data plane (data access) vs. mgmt/control plane (Portal, APIs, PowerShell) ELAPSED TIME: 12 HOURS http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/

7 RiskMitigation Internet Exposed RDP or SSH EndpointsNetwork ACLsNetwork ACLs or Host-based Firewall; Strong passwords; VPN or SSH TunnelsVPN Virtual Machine Missing Security PatchesKeep Automatic Updates EnabledKeep Automatic Updates Enabled; Web Application VulnerabilitySecuring Azure Web ApplicationsSecuring Azure Web Applications; Vulnerability scan/penetration testVulnerability scan/penetration test Weak Admin/Co-Admin CredentialsAzure Multi-Factor AuthenticationAzure Multi-Factor Authentication; Subscription Management CertificateSubscription Management Certificate Unrestricted SQL EndpointAzure SQL Firewall Storage Key DisclosureManage Access to Storage Resources Insufficient Security MonitoringAzure Security and Log ManagementAzure Security and Log Management; (Slide from Mark Russinovich’s talk at RSA 2015) https://www.rsaconference.com/writable/presentations/file_upload/exp- w01_assume-breach-an-inside-look-at-cloud-service-provider-security.pdf

8 1. Research & Development – “Microsoft invests >$1B dollars in security R&D, every year.” –Satya Nadella, CEO, MicrosoftMicrosoft invests 2. Microsoft Acquisitions – Adallom, Aorato, others Microsoft AdallomAorato @codingoutloud http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

9 Protecting the Management/Control Plane @codingoutloud

10 Demo: MFA: https://account.activedirectory.windowsazure.com/User Management/MultifactorVerification.aspx https://account.activedirectory.windowsazure.com/User Management/MultifactorVerification.aspx Demo: App Passwords: https://account.activedirectory.windowsazure.com/User Management/MfaSettings.aspx https://account.activedirectory.windowsazure.com/User Management/MfaSettings.aspx Demo: App Password Configuration: https://account.activedirectory.windowsazure.com/App Passwords.aspx https://account.activedirectory.windowsazure.com/App Passwords.aspx @codingoutloud

11 1. v1: HTML 2. v2: Silverlight 3. v3: back to HTML Today known as “classic” portal https://manage.windowsazure.com 4. v4: back to Silverlight (Just kidding) really HTML 5 More granular security: RBAC https://portal.azure.com @codingoutloud http://arstechnica.com/security/2014/06/aws-console-breach-leads-to-demise-of-service-with-proven-backup-plan/

12 Co-Admin only option on Classic Portal RBAC only available on portal.azure.com New portal support not 100% Demo: Add a Reader to Azure SQL DB Server Resources: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/ https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/ @codingoutloud

13 RBAC only available on portal.azure.com Co-Admin at Subscription level Subscription for “anything goes” env (like for dev collaboration) https://account.windowsazure.com/Subscriptions Subscription, Resource Group, or Resource in Azure: https://azure.microsoft.com/en- us/documentation/articles/resource-group-lock-resources/ https://azure.microsoft.com/en- us/documentation/articles/resource-group-lock-resources/ @codingoutloud

14 Authentication & Authorization @codingoutloud

15 Use same AAD where makes sense across Azure Office 365 Visual Studio Team Services Windows 10 (Intune) Third-party applications (e.g., cloudportam) @codingoutloud

16 Not just across Azure, Office 365, … Demo: Custom App SSO with AAD @codingoutloud

17 Demo: Custom App SSO with AAD, but with no code in the app @codingoutloud

18 Demo: Custom App SSO with Twitter @codingoutloud

19 Demo: Add-AzureAccount @codingoutloud

20 Azure Web App Certificate & Credential Management @codingoutloud

21 Demo: Show DB Connection String setting in portal Demo: Show where to upload SSL Certificate to Azure SNI support has tipped - https://en.wikipedia.org/wiki/Server_Name_Indication#Support https://en.wikipedia.org/wiki/Server_Name_Indication#Support Enforce SSL connection - https://azure.microsoft.com/en- us/documentation/articles/web-sites-configure-ssl-certificate/#4-enforce-https-on-your-app https://azure.microsoft.com/en- us/documentation/articles/web-sites-configure-ssl-certificate/#4-enforce-https-on-your-app Let’s Encrypt - https://letsencrypt.org/https://letsencrypt.org/ @codingoutloud

22 SQL Database @codingoutloud

23 Demo: SQL DB Server Database Level: sp_set_firewall_rule @codingoutloud

24 Dynamic Data Masking: https://azure.microsoft.com/en- us/documentation/articles/sql-database-dynamic-data-masking-get-started/ https://azure.microsoft.com/en- us/documentation/articles/sql-database-dynamic-data-masking-get-started/ Server-side @codingoutloud

25 Demo: Transparent Data Encryption Server-side Always Encrypted: https://azure.microsoft.com/en- us/updates/public-preview-always-encrypted-for-azure-sql-database/ https://azure.microsoft.com/en- us/updates/public-preview-always-encrypted-for-azure-sql-database/ Client-side @codingoutloud

26 Blob Storage & Azure Key Vault @codingoutloud

27 TDE: https://azure.microsoft.com/en- us/documentation/articles/storage- service-encryption/https://azure.microsoft.com/en- us/documentation/articles/storage- service-encryption/ General (Excellent) Resource: https://azure.microsoft.com/en- us/documentation/articles/storage- security-guide/ https://azure.microsoft.com/en- us/documentation/articles/storage- security-guide/ @codingoutloud

28 AKV: https://azure.microsoft.com/en- us/documentation/articles/key-vault- whatis/https://azure.microsoft.com/en- us/documentation/articles/key-vault- whatis/ @codingoutloud

29 var resolver = new KeyVaultKeyResolver(GetAzureKeyVaultAccessToken); var rsaKey = await resolver.ResolveKeyAsync(keyId, CancellationToken.None); var uploadOptions = new BlobRequestOptions { EncryptionPolicy = new BlobEncryptionPolicy(rsaKey,… RequireEncryption = true }; var blob = container.GetBlockBlobReference(fileName); await blob.UploadFromByteArrayAsync(content, 0, content.Length, null, uploadOptions, null);

30 More Blob Storage & Azure Key Vault @codingoutloud

31 Disaster Recovery and Business Continuity @codingoutloud

32 Networking & Perimeter Security @codingoutloud

33 Virtual Machines @codingoutloud

34 Privacy & Compliance @codingoutloud

35 Security vs. Compliance Microsoft, Azure, Azure Government strong compliance story Microsoft https://www.microsoft.com/en- us/TrustCenter/Compliance/ https://www.microsoft.com/en- us/TrustCenter/Compliance/ Privacy Dublin Email Microsoft (+10 amicus briefs) fighting a US Gov’t SCA extra-territorial subpoena for customer email data in Dublin (since 2013) Data Trustee Model “German data trustee, Deutsche Telekom, will control and oversee all access to customer data” for Microsoft @codingoutloud https://news.microsoft.com/europe/ 2015/11/11/45283/ Compliance

36 @codingoutloud

37 Last One – the future @codingoutloud

38 Azure Security Center is a Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real-time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been compromised” @codingoutloud http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

39 1. Threat Intelligence Sources – Informed by ML/DS on global properties like Xbox, Halo, Skype, Office 365, Azure, Bing, Windows services, Windows phones, etc. 2. Azure Security Center Service – “Azure Security Center, now in private preview, works with companies like Barracuda, Checkpoint, Cisco Systems Inc., CloudFlare, F5 Networks, Fortinet, Imperva, Incapsula, and Trend Micro Inc. to offer advanced, analytics-driven threat detection that helps you protect, detect and respond to security threats in real- time.” Alert: “VM X and DB Y are not secure” Alert: “Asset Z has been compromised” @codingoutloud http://blogs.microsoft.com/blog/2015/11/17/enterprise-security-for-our-mobile-first-cloud-first-world/

40 “A little magic can take you a long way.” Roald Dahl, Author James and the Giant Peach @codingoutloud

41 It is a “Partnership” Not “turning over” all security to cloud vendor You can hold data encryption keys Vendor: infra; You: your apps; SaaS >PaaS >IaaS >OnPrem OWASP Top 10 not solved App security holes port cleanly to cloud! Log Analysis (SIEM), WAF, IP/AAD lockdown, … Breach detection @codingoutloud _

42 http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Harrenhal Threats Change Over Time "The largest and greatest fortress ever built in Westeros.. Harren thought the walls of his massive castle could withstand any assault, but he did not realize that dragons could simply fly over them.” http://gameofthrones.wikia.com/wiki/Harrenhal Threat models CHANGE over time! http://gameofthrones.wikia.com/wiki/Harrenhal?file=Harrenhal.jpg Threats Change Over Time @codingoutloud

43

44 Bill Wilder @codingoutloud codingoutloud@gmail.com blog.codingoutloud.com linkedin.com/in/billwilder Find this slide deck here See you at Boston Azure bostonazure.org

Download ppt "Bill Wilder Boston Code Camp #25 02-Apr-2016 (1:45 – 2:45) 17 Specific Azure Security Tips and Tricks."

Similar presentations

Cross Platform Mobile Backend with Mobile Services James

Cross Platform Mobile Backend with Mobile Services James
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.
Windows Azure: Microsoft’s Cloud Platform By Shahed Chowdhuri.

Windows Azure: Microsoft’s Cloud Platform By Shahed Chowdhuri.
Windows Azure Conference 2014 Lessons Learned From Large Scale Migrations to Windows Azure IaaS.

Windows Azure Conference 2014 Lessons Learned From Large Scale Migrations to Windows Azure IaaS.
Microsoft Azure SoftUni Team Technical Trainers Software University

Microsoft Azure SoftUni Team Technical Trainers Software University
Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.

Empowering people-centric IT Unified device management Access and information protection Desktop Virtualization Hybrid Identity.
4/24/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.

4/24/2017 © 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks.
Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.

Alert Logic Provides a Fully Managed Security and Compliance Solution Based in the Cloud, Powered by the Robust Microsoft Azure Platform MICROSOFT AZURE.
Automating Operational and Management Tasks in Microsoft Operations Management Suite and Azure

Automating Operational and Management Tasks in Microsoft Operations Management Suite and Azure
Except where noted, slide deck is © 2014 Development Partners Software Corporation Runbooks Automating.

Except where noted, slide deck is © 2014 Development Partners Software Corporation Runbooks Automating.
How* to Win the #BestMicrosoftHack Shahed Chowdhuri Sr. Technical WakeUpAndCode.com *Hint: Use the Cloud.

How* to Win the #BestMicrosoftHack Shahed Chowdhuri Sr. Technical WakeUpAndCode.com *Hint: Use the Cloud.
Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows Infra @MaccaMSOz.

Access and Information Protection Product Overview Andrew McMurray Technical Evangelist – Windows
What's New in Azure IaaS… A Server Huggers Perspective Rick

What's New in Azure IaaS… A Server Huggers Perspective Rick
FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.

FND2851. Mobile First | Cloud First Sixty-one percent of workers mix personal and work tasks on their devices* >Seventy-five percent of network intrusions.
Windows Azure Web Sites Second-generation PaaS Boston Cloud Meetup 14-January-2014 (00:30) Boston Azure User Group

Windows Azure Web Sites Second-generation PaaS Boston Cloud Meetup 14-January-2014 (00:30) Boston Azure User Group
Azure databases 1. Azure storage possibilities Azure offers several storage possibilities Microsoft SQL Server database MySQL database Azure Document.

Azure databases 1. Azure storage possibilities Azure offers several storage possibilities Microsoft SQL Server database MySQL database Azure Document.
Easy-to-Use RedFlag System Delivers Notifications via Phone, Email, Text, Social Media, and More to Improve Effectiveness of Your Communications COMPANY.

Easy-to-Use RedFlag System Delivers Notifications via Phone, , Text, Social Media, and More to Improve Effectiveness of Your Communications COMPANY.
Flight is a SaaS Solution that Accelerates the Secure Transfer of Large Files and Data Sets Into and Out of Microsoft Azure Blob Storage MICROSOFT AZURE.

Flight is a SaaS Solution that Accelerates the Secure Transfer of Large Files and Data Sets Into and Out of Microsoft Azure Blob Storage MICROSOFT AZURE.
Microsoft Cloud Solution.  What is the cloud?  Windows Azure  What services does it offer?  How does it all work?  How to go about using it  Further.

Microsoft Cloud Solution.  What is the cloud?  Windows Azure  What services does it offer?  How does it all work?  How to go about using it  Further.
DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.

DenyAll Delivering Next-Generation Application Security to the Microsoft Azure Platform to Secure Cloud-Based and Hybrid Application Deployments MICROSOFT.

Similar presentations

Ads by Google