Windows Azure Security & Compliance


Published on

Session at the Windows Azure UK User Group around Lessons Learned on Windows Azure Security and Compliance

Published in: Technology

Windows Azure Security & Compliance

  2. 2. About Me Nuno Filipe Godinho Director of Cloud Services, Europe @ Aditi Technologies Windows Azure MVP Twitter: @NunoGodinho
  3. 3. AGENDA
  5. 5. Basic Cloud Security Concerns • Where is my data located? • Is the Cloud Provider secure? • Who can see my Data? • How do you make sure my company data follow “the rules”? • Can I have my Data back? • Can I have compliant applications in the Cloud?
  6. 6. Security is Multi-Dimensional • Solutions to be secured should consider all security aspects • How does people treat sensative data?Human • DB Hardening, Cryptography, PermissionsData • Design and Implement Security Best PracticesApplication • OS Hardening, Regular PatchingHost • Firewall, VLANS, Secure Channels, ...Networking • Who can access my servers?Physical
  7. 7. Data Defense in Depth Approach Physical Application Host Network  Strong storage keys for access control  SSL support for data transfers between all parties  Front-end .NET framework code running under partial trust  Windows account with least privileges  Stripped down version of Windows Server 2008 OS  Host boundaries enforced by external hypervisor  Host firewall limiting traffic to VMs  VLANs and packet filters in routers  World-class physical security  ISO 27001 and SAS 70 Type II certifications for datacenter processes Layer Defenses Windows Azure Security Layers
  8. 8. Physical Security • Physical Data Center SSAE 16/ISAE 3402 Attestation and ISO 27001 Certified • Motion Sensors • 24x7 protected Access • Biometric controlled access systems • Video Camera surveillance • Security breach alarms
  9. 9. Built in Firewalls • All Traffic travels through several firewalls – Fabric Controlled • Host VM • Local Firewalls – Service Owner Controlled • Guest VM Firewall • SQL Database Firewall
  10. 10. Windows Azure Security Layers Managed Code Access Security: partial trust Windows Account: running with least privileges Windows FW (VM): rules based on service model Virtual Machine: fixed CPU, memory, disk resources Root Partition Packet Filter: defense in depth against VM “jailbreaking” Network ACLs: dedicated VLANS for tenant nodes
  11. 11. Defenses Inherited by Windows Azure Platform Applications Spoofing Tampering/ Disclosure Elevation of Privilege Configurable scale-out Denial of Service VM switch hardening Certificate Services Shared- Access Signatures HTTPS Side channel protections VLANs Top of Rack Switches Custom packet filtering Partial Trust Runtime Hypervisor custom sandboxing Virtual Service Accounts Repudiation Monitoring Diagnostics Service Information Disclosure HTTPS Shared Access Signatures
  13. 13. Microsoft Cloud Infrastructure Compliance Capabilities Microsoft Confidential – NDA Required
  14. 14. Windows Azure Compliance Roadmap Microsoft Confidential – NDA Required
  15. 15. LESSONS LEARNED 15
  16. 16. Quick Concepts • Consider always the two areas of compliance: – Data in Transit • Commonly delineated into two primary categories – data that is moving across public or “untrusted” networks such as the Internet, – data that is moving within the confines of private networks such as corporate Local Area Networks (LANs) – Data at Rest • Commonly located on desktops and laptops, in databases and on file servers. In addition, subsets of data can often be found in log files, application files, configuration files, and many other places.
  17. 17. Lessons Learned Process for defining which Data Privacy Compliance is required 1. Assess your organizational structure to understand where your business is being conducted. 2. Know what rules apply to your organization, particularly when you have international locations. 3. Know what you need to encrypt. Any sensitive data types that need to be protected for regulatory compliance or to comply with internal policies and standards can be strong candidates for encryption. If you have a data classification policy, encrypt the most sensitive or critical category or two. 4. Locate Data at Rest that is housed in systems across the enterprise 1. Databases 2. File Shares and large-scale storage 3. Email Systems 4. Backup Media 17
  18. 18. 5. Locate Data in Transit across network channels both within and outside the organization 1. Assessing the data trajectory 2. Gaining visibility into the network traffic itself 6. Decide how to handle Sensitive Data 1. Eradication 2. Obfuscation / Anonymize 3. Encryption 18 Lessons Learned (cont.) Process for defining which Data Privacy Compliance is required
  19. 19. Penetration Testing • Microsoft conducts regular penetration testing to improve Windows Azure security controls and processes • Customers can execute Penetration Testing in Windows Azure. Are just required to get previous authorization from Microsoft through filling out a Penetration Testing Approval Form ( and contacting Support. 19
  20. 20. SUMMARY 20
  21. 21. Summary • Windows Azure is very secure – Top Level measure at all levels • Windows Azure is compliant – Several of the most important compliances • ISO 27001 • SSAE 16/ISAE 2402 (SOC 1 Type 2) • HIPPA BAA • Before starting leveraging Windows Azure understand – Data in Transit – Data at Rest
  22. 22. Resources Security Privacy Compliance
  23. 23. Resources • Windows Azure Standard Response to Request for Information: Security and Privacy (Cloud Security Alliance) – • Windows Azure Penetration Testing Approval Form – • Windows Azure Security – 23
  24. 24. Web | Blog | Facebook | Twitter | LinkedIn