learn. connect. explore. - microsoft...microsoft azure applications varun sharma principal security...
TRANSCRIPT
Learn. Connect. Explore.Learn. Connect. Explore.
Security Best Practices for Microsoft Azure Applications
Varun Sharma
Principal Security Engineer,
Information Security & Risk Management (ISRM),
Microsoft IT
Data classification & accountability
Client & endpoint protection
Identity & access management
Application level controls
Network level controls
Host Security
Physical Security
Shared security responsibility
Agenda1. Authentication
2. Auditing & Logging
3. Configuration Management
4. Sensitive Data
5. Communication
1. Authentication
Countermeasures
Use Organizational
accounts or corporate
identities
Use Strong passwords
Use Multi-factor
authentication
Use Federated Identity
pattern
Extend on-premise AD
to Azure
UserAdmin
Cloud Service Virtual Machines
. . .
Azure Portal
EnterpriseActive Directory
. . .
Azure Active
DirectoryAccess Control
Service
Admin
Authentication - Threats and Countermeasures
Use Organizational Accounts or Corporate Identities
Enforce password
policies
Enforce Cloud based
Multi factor
Authentication
Enforce On premise Multi
factor Authentication
Azure Active
Directory
Azure Active
Directory
Directory sync with password
Active Directory
Directory sync with Federation
Active Directory
Azure Active
DirectoryMicrosoft Account
(Windows Live ID)
Federated Identity Pattern
Identity
Provider (IdP)
or Security
Token Service
(STS)
Consumer Service
Service trusts IdP or STS
Consumer authenticates and requests token
STS returns token
Consumer presents token to service
Directory Sync with Federation
Windows
Azure Portal
Windows
Azure Active
Directory
ADFS(sts.contoso.c
om)
Active
Directory
https://windows.azure.com/contoso.com
Admin logs in on-prem
Admin browses to
Azure portal
Admin is redirected to
AAD
AAD redirects to on-
prem STS since
directory sync with SSO
is setup.
Admin authenticates to
on-prem STS
On-prem STS returns
admin token to AAD
AAD has a trust with
STS, validates token,
redirects to Azure portal
EnterpriseActive DirectoryUser
Virtual Network
Domain controllers
Application
SQL Server. . .
. . .
Availability Set
Availability Set
Availability Set
AD Replication
. . .
. . .
Extend on-premise Active Directory to Azure
Enterprise
=OR
VPN
Authentication Summary
Threats Countermeasures
• Improper de-provisioning
• Credential theft
• Brute forcing passwords
• Use Organizational accounts or corporate identities
• Use Strong passwords
• Use Multi-factor authentication
• Use Federated Identity pattern
• Extend on-premise AD to Azure
2. Auditing & Logging
Countermeasures
Enable logging
Transfer logs to storage
Monitor logs for
suspicious activity
UserAdmin
Cloud Service Virtual Machines
. . .
Azure Portal
Azure Active
Directory
Admin
Auditing & Logging - Threats and Countermeasures
Azure storage Azure SQL Database
Auditing and Activity Logging
Subscription Operation logs
Windows Azure Diagnostics
Azure Storage Logging
SQL Azure Auditing
Auditing and Logging Summary Azure component Logging feature Examples of suspicious behavior
Azure Active Directory Auditing and Activity Logging Addition of user, admin, change of group membership
Azure Subscription Subscription Operation logs Addition of co-administrator, enabling RDP on cloud
service, operation from unexpected IP Address
Azure Web Sites Application and Site Diagnostics Performance degradation due to DOS attack
Cloud Services Windows Azure Diagnostics Security event for malware, remote login, creation of
local user, change of important files, performance
degradation due to DOS attackVirtual Machines Windows Azure Diagnostics or Windows Event
Forwarding
Azure Storage Azure Storage Logging Operation from unexpected IP Address, unexpected
operated
Azure SQL Database SQL Azure Auditing Operation from unexpected IP Address
Service bus relay No logs available N/A
3. Configuration Management
cloud service
Azure Storage
cscfg
Azure SQL Database
Admin
Azure subscription
Dev
Git repository
Visual Studio Online
cscfg
cspkg
Countermeasures
Encrypt secrets in config
files
Use Runtime
Reconfiguration pattern
Rollover secret keys
Configuration Management - Threats and Countermeasures
cloud service
Azure Storage
cscfg
Azure SQL Database
Admin
Azure subscription
Dev
Git repository
Visual Studio Online
cscfg
cspkg
Encrypt secret keys in config files
Admin generates a
certificate and
encrypts secret in
config file
Admin stores
encrypted config file
in repository and
uploads config file
and certificate to
cloud service
Cloud service reads
the encrypted value
and decrypts it at
runtime
cloud service
Azure Storage
cscfg
Azure SQL Database
Admin
Azure subscription
Dev
Git repository
Visual Studio Online
cscfg
cspkg
Runtime Reconfiguration pattern
Admin changes
configuration in
service configuration
file
Application code
subscribes to an
event to know if
configuration has
changed. Code allows
change if acceptable.
If change is not
acceptable and may
cause configuration
issues, code requests
a role restart.
cloud service
Azure Storage
cscfg
Azure SQL Database
Admin
Azure subscription
Dev
Git repository
Visual Studio Online
cscfg
cspkg
Roll over secret keysAzure storage has
primary and
secondary access
keys
Change configuration
to secondary access
key
Configuration
changes at runtime
Regenerate primary
access key and
change configuration
to new primary
access key
Configuration
changes at runtime
Regenerates
secondary access key
Automation
Configuration Management Summary
Threats Countermeasures
• Secret keys compromised from
repository
• Improper de-provisioning
• Encrypt secrets in config files
• Use Runtime Reconfiguration pattern
• Rollover secret keys
4. Sensitive Data
User
cloud service
Web application
Azure Storage Azure SQL Database
Application
SQL Server . . .
. . .
Admin
Countermeasures
Use Valet Key pattern
Encrypt sensitive data at
rest
Sensitive Data - Threats and Countermeasures
Valet Key Pattern
User
cloud service
Application
Azure Storage
SAS
SAS
User requests a resource
Application checks
validity of request,
generates Shared Access
Signature (SAS) and
returns to user
User directly accesses
resource using SAS
https://myaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=201
2-02-12&st=2013-04-29T22%3A18%3A26Z&se=2013-04-
30T02%3A23%3A26Z&sr=b&sp=rw&sig=Z%2FRHIX5Xcg0Mq2rqI3OlWTj
Eg2tYkboXr1P9ZUXDtkk%3D
User
cloud service
Web application
Azure Storage Azure SQL Database
Application
SQL Server . . .
. . .
Admin
Encrypt sensitive data at rest
BitLocker Drive
Encryption
SQL Server
Transparent Data
Encryption or Column
Level Encryption
Application level
encryption using .NET
Crypto API or other
languages
Encrypt sensitive data at rest
Scenario Encryption technology Key management
Azure VMs with sensitive files BitLocker Drive Encryption 3rd party solutions
Sensitive data in SQL Server on
Azure VM
SQL Server Transparent Data
Encryption or Column Level
Encryption
Can use Extensible Key Management
and existing on-premise HSM
Sensitive data in Azure Storage,
NoSQL, Azure SQL Database
Application level encryption using
.NET Crypto API or other languages
Customer manages encryption keys
5. Communication
User
cloud service
Enterprise
Service Bus
Relay
App Server
Admin
Azure Storage Azure SQL Database
Countermeasures
Use SSL
Disable remote desktop
Limit input endpoints
Use IP based restrictions
Communication - Threats and Countermeasures
Communication SummaryIP based restriction Encrypt data in transit
Azure Web Sites IIS IP Restrictions Upload SSL certificate and use custom
domain
Cloud Services Configure host firewall using Start-up task or
use IIS IP Restrictions
Upload SSL certificate and use custom
domain
Virtual Machines Network Access Control List Configure SSL certificate
Virtual Network Inbound and Outbound IP restriction using
Network Security Group
Use SSL
Azure SQL Database Azure SQL Firewall Use Encrypt=true;
TrustServerCertificate=False in SQL
Connection string
Azure Storage Not possible Use https:// from client
Service bus relay Not possible Use https:// from client and optionally WCF
message layer encryption
Summary
Security Frame – Threats and Countermeasures Security category Threats Countermeasures
Authentication Improper de-provisioning
Credential theft
Brute forcing passwords
Use Organizational accounts or corporate identities
Use Strong passwords
Use Multi-factor authentication
Use Federated Identity pattern
Extend on-premise AD to Azure
Auditing & Logging Repudiation
Logs lost due to recycle or deleted
Enable logging
Transfer logs to storage
Monitor logs for suspicious activity
Configuration management Improper de-provisioning
Secret keys compromised from
repository
Encrypt secrets in config files
Use Runtime Reconfiguration pattern
Rollover secret keys
Sensitive Data Shared secrets are only line of
defense
Use Valet Key pattern
Encrypt sensitive data at rest
Communication Data sniffed on network
Remote desktop password
compromised
Use SSL
Disable remote desktop
Limit input endpoints
Use IP based restrictions
Summary • Understand what you are responsible for
• Understand threats and implement countermeasures
• Use Azure security features, patterns and practices
Recommended/related sessionsProtect your business running in Azure using Microsoft Azure Backup Service
Online Services, 6th Nov, 4PM
1
Using Auditing and Azure Automation with Azure SQL Database
Business Intelligence, 6th Nov, 1:45PM
2
Office 365 Security, Privacy and Compliance
Online Services, 6th Nov, 2:45PM
3
ReferencesRelated references for you to expand your knowledge on the subject• Azure Trust Center, http://azure.microsoft.com/en-us/support/trust-center/
• Azure Security Guidance, http://azure.microsoft.com/en-us/documentation/articles/best-practices-security/
• Azure Identity, http://azure.microsoft.com/en-us/documentation/articles/fundamentals-identity/
• Azure Multi-factor authentication, http://azure.microsoft.com/en-in/services/multi-factor-authentication/
• Cloud Design patterns, http://msdn.microsoft.com/en-us/library/dn600223.aspx
• Security best practices for Windows Azure solutions, http://download.microsoft.com/download/7/8/A/78AB795A-8A5B-48B0-9422-FDDEEE8F70C1/SecurityBestPracticesForWindowsAzureSolutionsFeb2014.docx
• Security Best Practices For Developing Windows Azure Applications, http://www.microsoft.com/en-in/download/details.aspx?id=7253
technet.microsoft.com/en-in
aka.ms/mva
msdn.microsoft.com/
Your Feedback is Important
OPTION 3: Feedback stations outside the hall
Fill out evaluation of this session and help shape future events.
OPTION 1 OPTION 2
Follow us online
Facebookfacebook.com/MicrosoftDeveloper.India
twitter.com/msdevindia
Email:[email protected]