Learn. Connect. Explore.Learn. Connect. Explore.

Security Best Practices for Microsoft Azure Applications

Varun Sharma

Principal Security Engineer,

Information Security & Risk Management (ISRM),

Microsoft IT

Data classification & accountability

Client & endpoint protection

Identity & access management

Application level controls

Network level controls

Host Security

Physical Security

Shared security responsibility

Agenda1. Authentication

2. Auditing & Logging

3. Configuration Management

4. Sensitive Data

5. Communication

1. Authentication

Countermeasures

Use Organizational

accounts or corporate

identities

Use Strong passwords

Use Multi-factor

authentication

Use Federated Identity

pattern

Extend on-premise AD

to Azure

UserAdmin

Cloud Service Virtual Machines

. . .

Azure Portal

EnterpriseActive Directory

. . .

Azure Active

DirectoryAccess Control

Service

Admin

Authentication - Threats and Countermeasures

Use Organizational Accounts or Corporate Identities

Enforce password

policies

Enforce Cloud based

Multi factor

Authentication

Enforce On premise Multi

factor Authentication

Azure Active

Directory

Azure Active

Directory

Directory sync with password

Active Directory

Directory sync with Federation

Active Directory

Azure Active

DirectoryMicrosoft Account

(Windows Live ID)

Federated Identity Pattern

Identity

Provider (IdP)

or Security

Token Service

(STS)

Consumer Service

Service trusts IdP or STS

Consumer authenticates and requests token

STS returns token

Consumer presents token to service

Directory Sync with Federation

Windows

Azure Portal

Windows

Azure Active

Directory

ADFS(sts.contoso.c

om)

Active

Directory

https://windows.azure.com/contoso.com

Admin logs in on-prem

Admin browses to

Azure portal

Admin is redirected to

AAD

AAD redirects to on-

prem STS since

directory sync with SSO

is setup.

Admin authenticates to

on-prem STS

On-prem STS returns

admin token to AAD

AAD has a trust with

STS, validates token,

redirects to Azure portal

EnterpriseActive DirectoryUser

Virtual Network

Domain controllers

Application

SQL Server. . .

. . .

Availability Set

Availability Set

Availability Set

AD Replication

. . .

. . .

Extend on-premise Active Directory to Azure

Enterprise

=OR

VPN

Authentication Summary

Threats Countermeasures

• Improper de-provisioning

• Credential theft

• Brute forcing passwords

• Use Organizational accounts or corporate identities

• Use Strong passwords

• Use Multi-factor authentication

• Use Federated Identity pattern

• Extend on-premise AD to Azure

2. Auditing & Logging

Countermeasures

Enable logging

Transfer logs to storage

Monitor logs for

suspicious activity

UserAdmin

Cloud Service Virtual Machines

. . .

Azure Portal

Azure Active

Directory

Admin

Auditing & Logging - Threats and Countermeasures

Azure storage Azure SQL Database

Auditing and Activity Logging

Subscription Operation logs

Windows Azure Diagnostics

Azure Storage Logging

SQL Azure Auditing

Auditing and Logging Summary Azure component Logging feature Examples of suspicious behavior

Azure Active Directory Auditing and Activity Logging Addition of user, admin, change of group membership

Azure Subscription Subscription Operation logs Addition of co-administrator, enabling RDP on cloud

service, operation from unexpected IP Address

Azure Web Sites Application and Site Diagnostics Performance degradation due to DOS attack

Cloud Services Windows Azure Diagnostics Security event for malware, remote login, creation of

local user, change of important files, performance

degradation due to DOS attackVirtual Machines Windows Azure Diagnostics or Windows Event

Forwarding

Azure Storage Azure Storage Logging Operation from unexpected IP Address, unexpected

operated

Azure SQL Database SQL Azure Auditing Operation from unexpected IP Address

Service bus relay No logs available N/A

3. Configuration Management

cloud service

Azure Storage

cscfg

Azure SQL Database

Admin

Azure subscription

Dev

Git repository

Visual Studio Online

cscfg

cspkg

Countermeasures

Encrypt secrets in config

files

Use Runtime

Reconfiguration pattern

Rollover secret keys

Configuration Management - Threats and Countermeasures

cloud service

Azure Storage

cscfg

Azure SQL Database

Admin

Azure subscription

Dev

Git repository

Visual Studio Online

cscfg

cspkg

Encrypt secret keys in config files

Admin generates a

certificate and

encrypts secret in

config file

Admin stores

encrypted config file

in repository and

uploads config file

and certificate to

cloud service

Cloud service reads

the encrypted value

and decrypts it at

runtime

cloud service

Azure Storage

cscfg

Azure SQL Database

Admin

Azure subscription

Dev

Git repository

Visual Studio Online

cscfg

cspkg

Runtime Reconfiguration pattern

Admin changes

configuration in

service configuration

file

Application code

subscribes to an

event to know if

configuration has

changed. Code allows

change if acceptable.

If change is not

acceptable and may

cause configuration

issues, code requests

a role restart.

cloud service

Azure Storage

cscfg

Azure SQL Database

Admin

Azure subscription

Dev

Git repository

Visual Studio Online

cscfg

cspkg

Roll over secret keysAzure storage has

primary and

secondary access

keys

Change configuration

to secondary access

key

Configuration

changes at runtime

Regenerate primary

access key and

change configuration

to new primary

access key

Configuration

changes at runtime

Regenerates

secondary access key

Automation

Configuration Management Summary

Threats Countermeasures

• Secret keys compromised from

repository

• Improper de-provisioning

• Encrypt secrets in config files

• Use Runtime Reconfiguration pattern

• Rollover secret keys

4. Sensitive Data

User

cloud service

Web application

Azure Storage Azure SQL Database

Application

SQL Server . . .

. . .

Admin

Countermeasures

Use Valet Key pattern

Encrypt sensitive data at

rest

Sensitive Data - Threats and Countermeasures

Valet Key Pattern

User

cloud service

Application

Azure Storage

SAS

SAS

User requests a resource

Application checks

validity of request,

generates Shared Access

Signature (SAS) and

returns to user

User directly accesses

resource using SAS

https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=201

2-02-12&st=2013-04-29T22%3A18%3A26Z&se=2013-04-

30T02%3A23%3A26Z&sr=b&sp=rw&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTj

Eg2tYkboXr1P9ZUXDtkk%3D

User

cloud service

Web application

Azure Storage Azure SQL Database

Application

SQL Server . . .

. . .

Admin

Encrypt sensitive data at rest

BitLocker Drive

Encryption

SQL Server

Transparent Data

Encryption or Column

Level Encryption

Application level

encryption using .NET

Crypto API or other

languages

Encrypt sensitive data at rest

Scenario Encryption technology Key management

Azure VMs with sensitive files BitLocker Drive Encryption 3rd party solutions

Sensitive data in SQL Server on

Azure VM

SQL Server Transparent Data

Encryption or Column Level

Encryption

Can use Extensible Key Management

and existing on-premise HSM

Sensitive data in Azure Storage,

NoSQL, Azure SQL Database

Application level encryption using

.NET Crypto API or other languages

Customer manages encryption keys

5. Communication

User

cloud service

Enterprise

Service Bus

Relay

App Server

Admin

Azure Storage Azure SQL Database

Countermeasures

Use SSL

Disable remote desktop

Limit input endpoints

Use IP based restrictions

Communication - Threats and Countermeasures

Communication SummaryIP based restriction Encrypt data in transit

Azure Web Sites IIS IP Restrictions Upload SSL certificate and use custom

domain

Cloud Services Configure host firewall using Start-up task or

use IIS IP Restrictions

Upload SSL certificate and use custom

domain

Virtual Machines Network Access Control List Configure SSL certificate

Virtual Network Inbound and Outbound IP restriction using

Network Security Group

Use SSL

Azure SQL Database Azure SQL Firewall Use Encrypt=true;

TrustServerCertificate=False in SQL

Connection string

Azure Storage Not possible Use https:// from client

Service bus relay Not possible Use https:// from client and optionally WCF

message layer encryption

Summary

Security Frame – Threats and Countermeasures Security category Threats Countermeasures

Authentication Improper de-provisioning

Credential theft

Brute forcing passwords

Use Organizational accounts or corporate identities

Use Strong passwords

Use Multi-factor authentication

Use Federated Identity pattern

Extend on-premise AD to Azure

Auditing & Logging Repudiation

Logs lost due to recycle or deleted

Enable logging

Transfer logs to storage

Monitor logs for suspicious activity

Configuration management Improper de-provisioning

Secret keys compromised from

repository

Encrypt secrets in config files

Use Runtime Reconfiguration pattern

Rollover secret keys

Sensitive Data Shared secrets are only line of

defense

Use Valet Key pattern

Encrypt sensitive data at rest

Communication Data sniffed on network

Remote desktop password

compromised

Use SSL

Disable remote desktop

Limit input endpoints

Use IP based restrictions

Summary • Understand what you are responsible for

• Understand threats and implement countermeasures

• Use Azure security features, patterns and practices

Recommended/related sessionsProtect your business running in Azure using Microsoft Azure Backup Service

Online Services, 6th Nov, 4PM

1

Using Auditing and Azure Automation with Azure SQL Database

Business Intelligence, 6th Nov, 1:45PM

2

Office 365 Security, Privacy and Compliance

Online Services, 6th Nov, 2:45PM

3

ReferencesRelated references for you to expand your knowledge on the subject• Azure Trust Center, http://azure.microsoft.com/en-us/support/trust-center/

• Azure Security Guidance, http://azure.microsoft.com/en-us/documentation/articles/best-practices-security/

• Azure Identity, http://azure.microsoft.com/en-us/documentation/articles/fundamentals-identity/

• Azure Multi-factor authentication, http://azure.microsoft.com/en-in/services/multi-factor-authentication/

• Cloud Design patterns, http://msdn.microsoft.com/en-us/library/dn600223.aspx

• Security best practices for Windows Azure solutions, http://download.microsoft.com/download/7/8/A/78AB795A-8A5B-48B0-9422-FDDEEE8F70C1/SecurityBestPracticesForWindowsAzureSolutionsFeb2014.docx

• Security Best Practices For Developing Windows Azure Applications, http://www.microsoft.com/en-in/download/details.aspx?id=7253

technet.microsoft.com/en-in

aka.ms/mva

msdn.microsoft.com/

Your Feedback is Important

OPTION 3: Feedback stations outside the hall

Fill out evaluation of this session and help shape future events.

OPTION 1 OPTION 2

Follow us online

Facebookfacebook.com/MicrosoftDeveloper.India

twitter.com/msdevindia

Twitter

Email:varun.sharma@microsoft.com