Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Best Practices in Cloud Security

177 views

Published on

Best Practices in Cloud Security

Published in: Technology
  • Be the first to comment

Best Practices in Cloud Security

  1. 1. BEST PRACTICES IN CLOUD SECURITY Michael Washam CEO, Opsgility
  2. 2. Azure Security Tips
  3. 3. Michael Washam michael@opsgility.com www.opsgility.com Microsoft Azure
  4. 4. Protecting Identities
  5. 5. Azure Active Directory Identity Source for Azure & Office 365 subscriptions Key takeaways for protecting identities Multi-Factor Authentication Privileged Identity Management Conditional Access
  6. 6. Multi-Factor Authentication (MFA) What is it? A method of authentication requiring the use of more than one verification method to authenticate a user. How does it work Requires two or more verification methods Something you know (typically a password) Something you have (a trusted device that is not easily duplicated, like a phone number. 6 1. Login using username and password 2. Microsoft Azure MFA Challenge 3. Response to challenge from device
  7. 7. What is Privileged Identity Management? Manage, control, and monitor access within your organization Includes access to resources in Azure AD and other Microsoft online services like Office 365 or Microsoft Intune
  8. 8. Configuring Conditional Access Protection against stolen or phished credentials Keeps Data Safe Enforces BYOD policies Works with Azure AD and MFA Applied to individual users or groups
  9. 9. DEMODEMO Microsoft Azure
  10. 10. Protecting Infrastructure
  11. 11. Protecting Your Infrastructure Available Tools Isolated Virtual Networks Network Security Groups Virtual Appliances App Service Environment Disk Encryption Anti-Malware Secure Endpoints (SQL and Storage)
  12. 12. Virtual Network Best Practices Isolate workloads in different subnets Deploy Network Security Groups to minimize surface attack area Avoid exposure to the Internet except where necessary Control routing Enable Forced Tunneling Deploy Security Appliances Enforce a DMZ
  13. 13. DEMODEMO Microsoft Azure
  14. 14. Protecting Data
  15. 15. Data at Rest- Encryption Points Microsoft: • Storage Service Encryption • Automatically encrypts customer data prior to persisting to storage and decrypts prior to retrieval • Microsoft manages encryption keys Customers: • Azure VMs • Disk Encryption • PaaS • Azure SQL Database supports TDE • Applications • Client Side encryption through .NET Crypto API • RMS Service and SDK for file encryption by your applications
  16. 16. Data In Transit - Encryption Points Data in transit between a user and the service Protects user from interception of their communication and helps ensure transaction integrity Data in transit between data centers Protects from bulk interception of data End-to-end encryption of communication s between usersProtects from interception or loss of data in transit between users Microsoft: • Azure Portal • Encrypts transactions through Azure Portal using HTTPS • Strong Ciphers are used / FIPS 140-2 support • Import / Export • Only accepts bit locker encrypted data disks • Datacenter to Datacenter • Encrypts customer data transfer between Azure datacenters (via Site-to-Site VPN connections) Customers: • Azure Services • Various services offer additional capabilities for securing data in transit • N-Tier Applications • Encrypt traffic between Web client and server by implementing TLS on IIS
  17. 17. DEMODEMO Microsoft Azure
  18. 18. Applying Governance
  19. 19. Tools for Governance Azure EA Portal Azure AD Resource Groups Policies Role Based Access Control Resource Locks Security Center Operations Management Suite (OMS) Templates and Command Line
  20. 20. Policies Role Based Access Control • Manage what resources or configurations are available at the subscription, resource group or resource level • Examples • Supported Regions • Naming Conventions • Supported Services • Supported SKUs • Tag requirements • Manage which users or groups can perform which actions on which resources • Examples • Owner • Contributor • Reader • Resource specific roles like Storage Account Contributor • Custom Roles
  21. 21. DEMODEMO Microsoft Azure
  22. 22. Thank You.

×