• Save
Introduccion a la seguridad en Windows Azure
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


Introduccion a la seguridad en Windows Azure






Total Views
Views on SlideShare
Embed Views



2 Embeds 1,122

http://jpgarcia.cl 811
http://jpgarcia69.wordpress.com 311



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)
  • Port Scanning/ Service EnumerationThe only ports open and addressable (internally or externally) on a Windows Azure VM are those explicitly defined in the Service Definition file. Windows Firewall is enabled on each VM in addition to enhanced VM switch packet filtering, which blocks unauthorized traffic Denial of Service Windows Azure’s load balancing will partially mitigate Denial of Service attacks from the Internet and internal networks. This mitigation is done in conjunction with the developer defining an appropriate Service Definition VM instance count scale-out. On the Internet, Windows Azure VMs are only accessible through public Virtual IP Addresses (VIPs). VIP traffic is routed through Windows Azure’s load-balancing infrastructure. Windows Azure monitors and detects internally initiated Denial of Service attacks and removes offending VMs/accounts from the network. As a further protection, the root host OS that controls guest VMs in the cloud is not directly addressable internally by other tenants on the Windows Azure network and the root host OS is not externally addressable.Windows Azure is also reviewing additional Distributed Denial of Service (DDoS) solutions available from Microsoft Global Foundation Services to help further protect against Denial of Service attacks.SpoofingVLANs are used to partition the internal network and segment it in a way that prevents compromised nodes from impersonating trusted systems such as the Fabric Controller. At the Hypervisor VM Switch, additional filters are in place to block broadcast and multicast traffic, with the exception of what is needed to maintain DHCP leases. Furthermore, the channel used by the Root OS to communicate with the Fabric Controller is encrypted and mutually authenticated over an HTTPS connection, and it provides a secure transfer path for configuration and certificate information that cannot be intercepted.Eavesdropping / Packet SniffingThe Hypervisor’s Virtual Switch prevents sniffer-based attacks against other VMs on the same physical host. Top-of-rack switches will be used to restrict which IP and MAC addresses can be used by the VMs and therefore mitigate spoofing attacks on internal networks. To sniff the wire inside the Windows Azure cloud environment, an attacker would first need to compromise a VM tenant in a way that elevated the attacker to an administrator on the VM, then use a vulnerability in the hypervisor to break into the physical machine root OS and obtain system account privileges. At that point the attacker would only be able to see traffic inbound to the compromised host destined for the dynamic IP addresses of the VM guests controlled by the hypervisor. Multi-tenant hosting and side-channel attacksInformation disclosure attacks (such as sniffing) are less severe than other forms of attack inside the Windows Azure datacenter because virtual machines are inherently untrusted by the Root OS Hypervisor. Microsoft has done a great deal of analysis to determine susceptibility to side-channel attacks. Timing attacks are the most difficult to mitigate. With timing attacks, an application carefully measures how long it takes some operations to complete and infers what is happening on another processor. By detecting cache misses, an attacker can figure out which cache lines are being accessed in code. With certain crypto implementations involving lookups from large tables, knowing the pattern of memory accesses - even at the granularity of cache lines - can reveal the key being used for encryption. While seemingly far-fetched, such attacks have been demonstrated under controlled conditions. There are a number of reasons why side-channel attacks are unlikely to succeed in Windows Azure: An attack works best in the context of hyper-threading, where the two threads share all of their caches. Many current CPUs implement fully independent cores, each with a substantial private cache. The CPU chips that Windows Azure runs on today have four cores per chip and share caches only in the third tier.Windows Azure runs on nodes containing pairs of quad-core CPUs, so there are three other CPUs sharing the cache, and seven CPUs sharing the memory bus. This level of sharing leads to a great deal of noise in any signal from one CPU to another because actions of multiple CPUs tend to obfuscate the signal.Windows Azure generally dedicates CPUs to particular VMs. Any system that takes advantage of the fact that few servers keep their CPUs busy all the time, and implements more logical CPUs than physical CPUs, might open the possibility of context switches exposing cache access patterns. Windows Azure operates differently. VMs can migrate from one CPU to another, but are unlikely to do so frequently enough to offer an attacker any information.
  • Slide ObjectiveUnderstand that Microsoft has a long history in running data centres and online applications. Bing, Live, Hotmail etc….Understand the huge amount of innovation going on at the data center levelSpeaking Points:Microsoft is one of the largest operators of datacenters in the worldYears of ExperienceLarge scale trustworthy environmentsDriving for cost and environmental efficientlyWindows Azure runs in 3 regions and 6 datacenters todayData center innovation is driving improved reliability and efficiencyPUE = Power Usage Effectiveness = Total Facility power/IT Systems Power = Indication of efficiency of DCUnder 1.8 is very good, modern cloud DCs approaching 1.2Multi-billion dollar datacenter investment700,000+ square foot Chicago and the 300,000+ square foot Dublin, Ireland data centersMicrosoft cloud services provide the reliability and security you expect for your business: 99.9% uptime SLA, 24/7 support. Microsoft understands the needs of businesses with respect to security, data privacy, compliance and risk management, and identity and access control. Microsoft datacenters are ISO 27001:2005 accredited, with SAS 70 Type I and Type II attestations.Notes:http://www.globalfoundationservices.com/http://blogs.msdn.com/the_power_of_software/archive/2008/06/20/microsoft-s-pue-experience-years-of-experience-reams-of-data.aspxhttp://blogs.msdn.com/the_power_of_software/archive/2008/06/27/part-2-why-is-energy-efficiency-important.aspx
  • Welcome and speaker’s introductionSet expectations that the session is going to be about identity and access control for applications targeting the Windows Azure platform, as opposed to the services themselves (SQL Azure, Windows Azure management calls, etc.)

Introduccion a la seguridad en Windows Azure Presentation Transcript

  • 1. Windows Azure Security Overview
    Juan Pablo García González
    Solution Architect
    Daniel A. Montero González
    Software Developer Manager
    DATCO Chile
  • 2. Agenda
    Seguridad de la Plataforma
    Seguridad de Aplicaciones
    Administración de Identidad
    Seguridad de Datos
    Seguridad Física – Data Centers
  • 3. Introducción
    Daniel Montero
  • 4. SDL - Ciclo de vida de desarrollo de seguro
    Los productos Microsoft son desarrollados acorde a los procesos de SDL
    Enfoque prescriptivo pero práctico
    Practivo – no solo en «busca de errores»
    Elimina de forma temprana los problemas
    Resultados probados
    Desarrolle sus soluciones según SDL y proteja a sus clientes
    Reduzca el número de vulnerabilidades
    Reduzca la gravedad de sus vulnerabilidades
  • 5. Seguridad Multi Dimensional
    Para proveer una solución segura, todos los aspectos se deben considerar
  • 6. Seguridad de Datos - Capas de Seguridad de Windows Azure
    • Fuerte control de acceso al almacenamiento
    • 7. Compatibilidad SSL para la transferencia de datos
    • Código del Front-End se ejecuta bajo confianza parcial
    • 8. Cuentas de Windows con menores privilegios
    • Alojados sobre plataforma Windows Server 2008
    • 9. Límites de los host aplicados externamente por el hypervisor
    • El firewall de host limita el trafico hacia las VMs
    • 10. Routers filtran los paquetes y VLANs
    • Seguridad física del tipo World -Class
    • 11. Data center certificados ISO 27001 y SAS 70 Tipo II
  • Las amenazas a la Nube
    Amenazas tradicionales existentes
    Cross-Site scripting (XSS), SQL Injection
    Ataque DNS, Tráfico de Red}
    Antiguas amenazas migradas
    Aplicación de Parches automatizada e Instancias que son movidas a sistemas seguros
    Mejoras en el control de errores por resilencia de la Nube
    Expansión de algunas amenazas
    Privacidad de los datos, como la ubicación de la segregación
    Abuso de privilegios de acceso de los Administradores
    Nuevas amenazas introducidas
    Escalamiento de Privilegios desde la MV al Servidor Host
    Frenos a los límites de las MVs
    «Hyperjacking» – Uso de rootkits en el host de MV
  • 12. Seguridad de la Plataforma
    Juan Pablo García
  • 13. El tráfico de Azure pasa entre diferentes firewalls
    Algunos son administrador por el dueño del servicio mientras otros son manejados por Fabric
    Host VM
    Construido entre Firewall
  • 14. Host
    Cada Rol corre en una VM separada
    Endurecimiento (hardening)
    Instalación regular de updates de seguridad
    • Hardenedversion of Windows Server 2008 R2
    • 15. No persistentstorage en VM
    • 16. Drivers limitados
    • 17. Trafico regulado por el Firewall del host
    Hyper-v basedHypervisor
  • 18. Diferentes canales SSL
  • 19. Aislamiento en Windows Azure
    No depende de la seguridad de Windows
    Depende de la seguridad del Hypervisor, la red expuesta y los controladores de discos
    La superficie de ataques es minimizada aceptando muy pocos comandos y drivers específicos
    Un core de CPU es dedicado a un VM particular para evitar ataques «sidechannel»
    Los discos Guest son VHD en el sistema de archivos del OS root
    El hypervisor y Os root implementan filtro de paquetes de red para evitar Spoffing y trafico no autorizado hacia las VMs
  • 20. Defensas heredadas por las aplicaciones
  • 21. Seguridad de aplicaciones
    Las aplicaciones debes ser construidas siguiendo las mejores practicas
  • 22. Windows AzureCode Access Security
  • 23. Windows AzureCode Access Security
  • 24. Seguridad del servicio de administración
    Los clientes utilizan Windows Live ID
    Hosted Services y storage accounts se administran en la interfaz o con las API utilizandollavespublica y privadageneradapor el usuario
    Fabric controla las actualizaciones y controlas los nodos de computo y almacenamiento
    Fabric corre en un HW separado
    La comunicación es en un canal SSL
  • 25. Flujos de datos
  • 26. Identidad
    Daniel Montero
  • 27. Identidad en la Nube
    Windows Azure soporta ambas administraciones de identidad, basada en Roles (role-base) y basada en Derechos (claim-base)
  • 28. Administración de Identidad y Acceso
    WS-* and SAML
    Active Directory
    Otros Proveedores
  • 29. AppFabric: Control de Acceso 2.0Claims-based, Federated Access Control Service
    Provee autorización basada en reglas y derechos para: (rules-driven, claims-based):
    Aplicaciones Web
    Servicios Web REST
    Servicios Web SOAP
    Características Claves
    Amplio soporte a proveedores de identidad, incluyendo AD FederationServices v2 y proveedores conocidos de identidad Web (Live ID, Facebook, Google, Yahoo)
    Soporte a protocolos WS-Trust y WS-Federation
    Configurable a través de un nuevo portal Web de Administración
  • 30. Seguridad de Datos
    Juan Pablo García
  • 31. Seguridad de Datos
    Los datos de usuarios está en HW separado en Storage accounts
    El acceso a los datos es solo con la secretkey de la cuenta
    Políticas de control de acceso a los Blob puede ser adjunta utilizando «Shared Access Signatures»
    El acceso a los datos es utilizando SSL
  • 32. Blob Storage Security Model
    Storage Access Key
    Full Control
    Read / Write
    Delete / List
    Level Access
    Read / Write
    Delete / List
    Container ACL
    Azure Storage blob and container
  • 33. Confiabilidad Windows Azure Storage
    Los datos son replicados en 3 Storage físicos distintos y en diferentes datacenter
    Data onPremises
  • 34. Cifrado de datos en Azure
    Es soportado con código propio
    Aplicación cliente
    Almacena la llave
    Browser no tiene
    La llave, no puede
    Leer la data
  • 35. Seguridad en SQL Azure
  • 36. Seguridad en SQL Azure
    Solo se soportan autentificación SQL
    Se debe proveer el usuario en cada conexión
    Reset del password no obliga a reconectarse a los clientes
    Cada 60 minutos se debe volver a autentificar
    Cuando el aprovisionamiento SqlAzure crea una cuenta de nievel de servidor, similar SA
    Esta cuenta se usa para crear otras cuentas
    El puerto 1433 debe ser abierto en el firewall local
    Se deben registrar las IP de acceso
  • 37. Comparación SQL Server y SQL Azure
  • 38. Seguridad FísicaData Center
    Daniel Montero
  • 39. The Microsoft Cloud~100 Data Centers distribuidosGlobalmente
  • 40. Data Center – Seguridad Física
    Certificados SAS70 y ISO27001
    Procesos Certificados en SAS70
    Sensores de Movimiento
    Accesos protegidos 24 x 7
    Control de acceso biométrico a sistemas
    Vigilancia de Cámaras de Video
    Alarmas de violación de seguridad
  • 41. Windows Azure Platform Data Centers
    North America Region
    Europe Region
    Asia Pacific Region
    N. Europe
    N. Central – U.S.
    W. Europe
    S. Central – U.S.
    E. Asia
    S.E. Asia
    6 datacenters across 3 continents
    Simply select your data center of choice when deploying an application
  • 42. The Microsoft CloudData Center Infraestructure
  • 43. Conclusiones
  • 44. Windows Azure Security Overview
    Juan Pablo García González
    Solution Architect
    Daniel A. Montero González
    Software Developer Manager
    DATCO Chile