Top 13 best security practices

Top 13 best security
practices for Azure
@RaduVunvulea
Session Subtitle 26pt
SPEAKER NAME
TITLE
COMPANY

“If you reveal your secrets to the
wind, you should not blame the
wind for revealing them to the
trees”
Kahlil Gibran

80% OF SECURITY BREACHES INVOLVE
PRIVILEGED CREDENTIALS
h t t p s: / / www. t rip wire . co m / st a t e -o f -se cu rit y/ se curit y -d a t a -pro t ect ion / wh y -p a m-cisos -t o p-p riorit y

Radu Vunvulea
Endava
Microsoft Azure MPV
Microsoft Regional Director
2010: 1st cloud commercial
cloud project

6
Agenda
1. SHARED RESPONSIBILITY MODEL
2. SECRETS AND ACCESS MANAGEMENT
3. REPO AND CLOUD SECRETS
4. APP CONFIGURATION
5. STORAGE
6. AZURE SQL
7. WEB ENDPOINTS
8. SECURITY CENTER AND AZURE ADVISOR
9. CONCLUSION
10. BONUS - RESOURCES

1
Shared Responsibility Model
7

SECURE FOUNDATION
PHYSICAL
ASSETS
DATACENTER
OPERATIONS
CLOUD INFRASTRUCTURE
AND FABRIC
CLOUD PROVIDER PROVIDES BUILT-IN
CONTROLS
VM AND NETWORKS
APPS AND
WORKLOADS
DATA

APPLICATION
STORAGE COMPUTE
OPERATION
IAM
NETWORKING
DATA
MONITORING
CLOUD
PLATFORM
API CI/CD

2
Secrets and Access Management
10

ACCESS KEYS | CONNECTION STRING
CONFIGURATION
ACCESS KEYS | CONNECTION STRING

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS
SECRETS

AZURE KEY
VAULT
AZURE
DEDICATED
HSM
AWS KMS
AWS
CLOUDHSM
CONNECTION STRING
CERTIFICATES
KEYS
CERT | KEYS | SECRETS

OS ENVIRONMENTAL VARIABLES
SETX AZURE_CLIENT_ID 866CA31F-84AD-4F37-B90C-
381002C0878E
SETX AZURE_CLIENT_SECRET 378093A5-E2A4-465F-84B4-
D22C1351A63A
SETX AZURE_TENANT_ID DF0DA57D-3F3F-425C-BCB0-
63450109D642
SETX KEY_VAULT_NAME ITCAMP
STRING KEYVAULTNAME =
SYSTEM.GETENV("KEY_VAULT_NAME");
STRING KVURI = "HTTPS://" + KEYVAULTNAME +
".VAULT.AZURE.NET";
SECRETCLIENT SECRETCLIENT = NEW
SECRETCLIENTBUILDER()
.VAULTURL(KVURI)
.CREDENTIAL(NEW
DEFAULTAZURECREDENTIALBUILDER().BUILD())
.BUILDCLIENT();
SECRETCLIENT.SETSECRET(NEW
KEYVAULTSECRET("EVENT", "ITCAMP"));
KEYVAULTSECRET RETRIEVEDSECRET =
SECRETCLIENT.GETSECRET("EVENT");

Azure
RBAC
Azure
role-based
access
control
User Group Service
Principal
Managed
Identity
Security Principal
Role
Operation type (R/W/C/D)
Scope
Management Group
Subscription
Resource Group
Resource
Role assignment
Assign a security principal
Assign a scope
Assign a role
Development Group
Contributor
Dev and Playground Resource Group

Azure RBAC
Azurerole-basedaccesscontrol
Duty segregation within your team
Grant only the amount of access to users that they need to perform their jobs

Azure RBAC
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
!

Azure RBAC
RBAC
Specific permissions create unneeded complexity and confusion, accumulating into a “legacy”
configuration that’s difficult to fix without fear of breaking something.
Avoid resource-specific permissions. Instead, use management groups for enterprise-wide permissions
and resource groups for permissions within subscriptions.
Avoid user-specific permissions. Instead, assign access to groups in Azure AD

Premium Media
content
Dev Hero
Media Token
(SAS)
Storage
Account key
Repository
(e.g. GitHub
Application Repo
CI/CD Machine(s)
Infrastructure Repo
Pipelines Repo
Pipeline Dev
Pipeline Testing
Pipeline Production
Storage
Account Key

Premium Media
content
Dev Hero
Media Token
(SAS)
Storage
Account key
Repository
(e.g. GitHub
Application Repo
CI/CD Machine(s)
Infrastructure Repo
Pipelines Repo
Pipeline Dev
Pipeline Testing
Pipeline Production
Storage
Account Key
git-secrets
git-secrets

Secrets scanning
Protectingyourcode,yoursecrets,youridentity
Scan commits before a push
(1)Placegit-secretssomewhereinthePATHtobeeasilyaccessiblebygit
(2)./install.ps1|Commandtoinstallgit-secretsonaWindowsmachine
(3)cd/path/RaduVRepo/IoTHome|Navigatetotherepothatyouwanttoprotect.You
needtodothisactionforeachrepositorythatyouwanttosecure
(4)gitsecretsinstall|Installthetool
(5)gitsecrets-register-azure|RegistertheAzureplugin
(6)gitsecrets-register-aws|RegistertheAWSplugin
(7)gitsecrets-register-gcp|RegistertheGCPplugin

Secrets scanning
Protectingyourcode,yoursecrets,youridentity
Scan commits before a push
> Reject commits when secrets are detected
Pipeline integration
> Build fail
> Remove secrets
Nightly scan
> Remove secrets
> Repository and Pipelines freeze

API APP
BACKEND
APP
ETL
RECURRE
NT
JOB
ADMIN
DUPLICATED
SHARED CROSS ROLES & TEAMS
HARD TO MAINTAIN
CENTRAL SETTINGS REPO

AZURE APP
CONFIGURATI
ON
AWS CONFIG
AWS
APPCONFIG
API APP
BACKEND
APP
ETL
RECURRE
NT
JOB
ADMIN

Defaultendpointsprotocol=https;accountname=itcamp2020webstorage;acc
ountkey=sbgvtx1ynetie5jg78pks7xns8r4nvpumycvrvwf3w5e6xs4txkmyk/pl
hev4a1mhozfii1kqoate4ec0ndfzt==;endpointsuffix=core.Windows.Net

IAM POLICIES
AZURE AD RBAC
AWS SIGNATURE
AZURE SAS
LIMIT ANONYMOUS PUBLIC READ ACCESS
ENABLE FIREWALL RULES

ENCRYPTION | FIREWALL | IP FW RULES
AUTHENTICATION USING IAM
TLS TDA
ENABLE THREAT DETECTION

COLUMN-LEVEL ENCRYPTION
ID NAME PHONE NO CITY AGE SALARY COMPANY ROLE
1 MIKE 07533232 CLUJ 24 2000 OFFICE SSE
2 RADU 07433423 CLUJ 32 1300 BORSEC JSE
3 IOAN 0775432 CLUJ 30 4000 BORSEC SDO
4 PAUL 0792321 CLUJ 39 3400 OFFICE LES
5 GITA 0784234 ORADEA 30 1400 OFFICE SSE
6 OANA 0712343 ORADEA 32 2200 BORSEC LES
7 ALEX 0742932 ORADEA 29 2000 OFFICE SUX

COLUMN-LEVEL ENCRYPTION

CELL-LEVEL ENCRYPTION

STRING USERNAME = REQUEST.QUERYSTRING["USERNAME"];
…
...
STRING QUERY = "SELECT * FROM [DBO].[USERS] WHERE USERNAME =
'" + USERNAME + "'";
CREATE PROCEDURE SP_FINDUSER
(
@USERNAME VARCHAR(50)
)
SELECT * FROM [DBO].[USERS] WHERE USERNAME = @USERNAME

OWASP (CRS RULES)
XSS
SQL INJECTION

8
Security Center and Azure Advisor
51

Azure
Security
Center
Discover
and
assess
the
security
of
your
workloads
Secure Score
Overall secure score
Security controls
Compliance
Azure CIS
PCI DSS 3.2
ISO 2007
SOC TSP
Custom definition
Azure Defender
Security Alerts
Advance Thread
Protection
Vulnerability
assessment and mng
On-premises and
Azure protection
Inventory
Explore, filter and
enhanced your
resources

Azure Advisor
Proactive,actionable,andpersonalizedbestpracticesrecommendations
Reliability
Security
Performance
Cost
Operational Excellence

Definitive Guide to Azure Security
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://www.skyhighnetworks.com/cloud -security-blog/73-azure-security-best-practices/

Security Best Practices for Azure solutions
1. Security policy
Ensure the following are set to on for virtual machines:
•‘OS vulnerabilities’ is set to on.
‘Endpoint protection’ is set to on.
‘Jit network access’ is set to on.
2. Identify and access management
•Ensure that for all users, multi-factor authentication is enabled.
Ensure that users can consent to apps accessing company data on their behalf’ is set to no.
Ensure that ‘restrict access to azure ad administration portal’ is set to yes.
3. Storage accounts
Ensure the following are set to enabled:
•‘Secure transfer required’ is set to enabled.
‘Storage service encryption’ is set to enabled.
4. SQL services
On SQL database or servers, ensure the following are set to on:
•‘Auditing’ is set to on.
‘Threat detection’ is set to on.
‘Transparent data encryption’ is set to on.
5. Networking
Ensure the following are disabled on network security groups from internet:
•Disable RDP.
Disable ssh.
Disable telnet (port 23).
6. Virtual machines
•Install endpoint protection for virtual machines.
Enable latest os patch updates for virtual machines.
Enforce disk encryption on virtual machines.
7. Miscellaneous
•Secure the subscription.
Minimize the number of admins/owners.
Do not grant permissions to external accounts (i.E., Accounts outside the native directory for the subscription).
https://azure.microsoft.com/en-us/resources/security-best-practices-for-azure-solutions/

Top 13 best security practices

Recommended

Recommended

More Related Content

What's hot

What's hot (9)

Similar to Top 13 best security practices

Similar to Top 13 best security practices (20)

Recently uploaded

Recently uploaded (20)

Top 13 best security practices

Editor's Notes