SlideShare a Scribd company logo

Azure serverless security

Download as PPTX, PDF
P
Pratik Khasnabis

A presentation showing implementation of a typical serverless application architecture on Azure. A static file hosted SPA frontend => Azure APIM => Azure Functions Backend => Azure Table Storage, all calls between layers and components secured using Azure AD authentication.

Technology
1 of 39
AZURE SERVERLESS SECURITY P R A T I K K H A S N A B I S A Z U R E C L O U D A R C H I T E C T ( M C S E & M C S D ) @ S O F T V E D A
SERVERLESS ARCHITECTURE “Serverless architectures are application designs that incorporate third-party “Backend as a Service” (BaaS) services, and/or that include custom code run in managed, ephemeral containers on a “Functions as a Service” (FaaS) platform. By using these ideas, and related ones like single-page applications, such architectures remove much of the need for a traditional always-on server component. …” - Martin Fowler SPA App FaaS BaaS
SERVERLESS SECURITY • Just because there is no servers to manage doesn’t absolve you from the responsibility of securing your serverless architecture. • Security on cloud is everyone's responsibility including the development team, the SRE/Ops team, Cyber Security team and of course your cloud vendor. • Security controls also depend on the threat model and risks identified for your specific application. There is no one size fits all solution to cyber security.
SECURING YOUR AZURE ACCOUNT Your Pa$$word doesn't matter Enabling multi-factor authentication (MFA) for accounts will end up blocking 99.9% of automated attacks.
APPSEC PRACTICES Secure coding practices Protect against OWASP Top 10 Do Input validation Logging and Monitoring Enable HTTPS only with TLS 1.2 Framework currency Dependencies vulnerability scans “UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks” “Equifax breach was ‘entirely preventable’ had it used basic security measures, says House report. The credit agency failed to patch a disclosed vulnerability in Apache Struts, a common open source web server.” “Backdoors snuck into 12 OSS packages were downloaded hundreds of thousands of times.”
TYPICAL SERVERLESS ARCHITECTURE ON AZURE Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling
AZURE BLOBS – STATIC WEBSITE HOSTING https://todoappinsecure.z13.web.core.windows.net/
TODO APP - SPA CODE const azureFuncUrl = "https://todoinsecurefunctionapp.azurewebsites.net/api/todo/"; function callSearchAPi() { var id = $("#searchInput").val(); $.ajax({ url: azureFuncUrl + id, type: "GET … } $("#searchBtn").click(function () { clearErrorMessage(); callSearchAPi(); })
TODO FUNCTION https://todoinsecurefunctionapp.azurewebsites.net/api/todo/{id}
SETTING CORS
TODO TABLE STORAGE Connection String in Function App Application Settings
IS THIS APP SECURE? Storage blob Storage table Cosmos DB Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling App Config
PROBLEM STATEMENT How do we make sure that the REST API calls from the SPA to Azure Function is secure as in only authenticated and authorised users can invoke the Azure Function. How do we make sure that only the Azure Function app can access the backend Database and secure the credential.
OAUTH 2.0 IMPLICIT GRANT FLOW
REGISTER TODO APP IN AZURE AD
REGISTER TODO API FUNCTION IN AZURE AD
TODO APP SECURE –SPA CODE
ADAL.JS – LOGIN
ADAL.JS – GET ACESS TOKEN
CHANGE AUTHENTICATION TO FUNCTION
AZURE API MANAGEMENT • Reducing the attack surface • CORS Policy • Validate JWT Policy • Rate limiting
PUBLISH TODO FUNCTION APP IN AZURE APIM
CONFIGURE VALIDATE-JWT POLICY
IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key App Config
INSPECT THE JWT ACCESS TOKEN
ADD APPLICATION ROLE IN MANIFEST
GRANT APPLICATION ROLE TO USER
INSPECT THE JWT ACCESS TOKEN
TOKEN VALIDATION & ROLE CHECK
IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key App Config JWT
CREDENTIAL FREE CODE Managed Identity for Azure Resources (aka MSI) – MSI_ENDPOINT – MSI_SECRET
CREATE AN IDENTITY FOR THE FUNCTION APP
SAVE CONNECTION STRING AS A SECRET IN KV
SET A LEAST PRIVILEGE ACCESS POLICY TO THE FUNCTION APP IDENTITY
SET THE CONNECTION STRING VALUE IN FUNCTION APP APPLICATION SETTINGS Format is @Microsoft.KeyVault(SecretUri=secret_uri_with_version)
IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key MSI JWT
SECURE SERVERLESS ARCHITECTURE Azure Active Directory Azure Key Vault API Management Storage blob Static Website Hosting Sign In Open-id config MSI Access Policy GET Static Assets (Unauthenticated) AJAX API Calls API Calls Table Ops GET Secret SPA App (ADAL.js) Storage table CORS policy Validate JWT policy Validate Claims JWT JWTFunction Key Get Access Token Data Store JWT
TAKEAWAYS • Implement OAUTH 2.0 Implicit Flow in the SPA to get a access token for the Function App being called • Register the SPA and the Function App in Azure AD as applications • Change Function App application manifest and add “app roles” • Grant roles to users in AD for the Function App application • Publish the Function App in Azure API Management • Validate the JWT token in APIM policy • Check the role in the claims within the JWT in Function App code • Set Managed Identity for the Function App • Stote connection strings as secrets in Azure Key Vault • Grant least privilege access policy to the Function App MSI in the Key Vault • Change the application configuration for Function App to point to Key Vault
THANK YOU Pratik Khasnabis Azure Cloud Architect (MCSE & MCSD) @softveda

Recommended

Azure Big Picture
Azure Big PictureAzure Big Picture
Azure Big PictureAzure Riyadh User Group
 
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...Amazon Web Services
 
Building microservices on azure
Building microservices on azureBuilding microservices on azure
Building microservices on azureVaibhav Gujral
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best PracticesAmazon Web Services
 
Serverless Geospatial Mobile Apps with AWS
Serverless Geospatial Mobile Apps with AWSServerless Geospatial Mobile Apps with AWS
Serverless Geospatial Mobile Apps with AWSAmazon Web Services
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced SecurityUdaiappa Ramachandran
 
Azure App Service Deep Dive
Azure App Service Deep DiveAzure App Service Deep Dive
Azure App Service Deep DiveAzure Riyadh User Group
 
AWS Service Drill Downs
AWS Service Drill DownsAWS Service Drill Downs
AWS Service Drill DownsAmazon Web Services
 

Recommended

Azure Big Picture
Azure Big PictureAzure Big Picture
Azure Big PictureAzure Riyadh User Group
 
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...
(DEV306) Building Cross-Platform Applications Using the AWS SDK for JavaScrip...Amazon Web Services
 
Building microservices on azure
Building microservices on azureBuilding microservices on azure
Building microservices on azureVaibhav Gujral
 
(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best Practices(DVO304) AWS CloudFormation Best Practices
(DVO304) AWS CloudFormation Best PracticesAmazon Web Services
 
Serverless Geospatial Mobile Apps with AWS
Serverless Geospatial Mobile Apps with AWSServerless Geospatial Mobile Apps with AWS
Serverless Geospatial Mobile Apps with AWSAmazon Web Services
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced SecurityUdaiappa Ramachandran
 
Azure App Service Deep Dive
Azure App Service Deep DiveAzure App Service Deep Dive
Azure App Service Deep DiveAzure Riyadh User Group
 
AWS Service Drill Downs
AWS Service Drill DownsAWS Service Drill Downs
AWS Service Drill DownsAmazon Web Services
 
Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101R M Shahidul Islam Shahed
 
Managing the Life Cycle of IT Products
Managing the Life Cycle of IT ProductsManaging the Life Cycle of IT Products
Managing the Life Cycle of IT ProductsAmazon Web Services
 
Azure Automation and Update Management
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update ManagementUdaiappa Ramachandran
 
Certification in Microsoft Azure
Certification in Microsoft AzureCertification in Microsoft Azure
Certification in Microsoft AzureDaniel Toomey
 
Sydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentationSydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentationAaron Saikovski
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayAmazon Web Services
 
Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)Pedro Sousa
 
Azure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle PresentationAzure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle PresentationDaniel Toomey
 
Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Daniel Toomey
 
Azure appservice
Azure appserviceAzure appservice
Azure appserviceRaju Kumar
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 
Innovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startInnovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startShiva Narayanaswamy
 
Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud Security Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
 
Simplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems ManagerSimplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems ManagerAmazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web ServicesBrett Gillett
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 
AWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWSAWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWSAmazon Web Services
 
AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013Amazon Web Services
 

More Related Content

What's hot

Managing the Life Cycle of IT Products
Managing the Life Cycle of IT ProductsManaging the Life Cycle of IT Products
Managing the Life Cycle of IT ProductsAmazon Web Services
 
Azure Automation and Update Management
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update ManagementUdaiappa Ramachandran
 
Certification in Microsoft Azure
Certification in Microsoft AzureCertification in Microsoft Azure
Certification in Microsoft AzureDaniel Toomey
 
Sydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentationSydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentationAaron Saikovski
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountAmazon Web Services
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayAmazon Web Services
 
Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)Pedro Sousa
 
Azure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle PresentationAzure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle PresentationDaniel Toomey
 
Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Daniel Toomey
 
Azure appservice
Azure appserviceAzure appservice
Azure appserviceRaju Kumar
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteAmazon Web Services
 
Innovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startInnovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startShiva Narayanaswamy
 
Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud Security Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud SecurityAmazon Web Services
 
Simplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems ManagerSimplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems ManagerAmazon Web Services
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAmazon Web Services
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web ServicesBrett Gillett
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineAmazon Web Services
 
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Amazon Web Services
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsAmazon Web Services
 

What's hot (20)

Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101Introduction to Microsoft Azure 101
Introduction to Microsoft Azure 101
 
Managing the Life Cycle of IT Products
Managing the Life Cycle of IT ProductsManaging the Life Cycle of IT Products
Managing the Life Cycle of IT Products
 
Azure Automation and Update Management
Azure Automation and Update ManagementAzure Automation and Update Management
Azure Automation and Update Management
 
Certification in Microsoft Azure
Certification in Microsoft AzureCertification in Microsoft Azure
Certification in Microsoft Azure
 
Sydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentationSydney 2015 Azure bootcamp PaaS presentation
Sydney 2015 Azure bootcamp PaaS presentation
 
Lock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS AccountLock It Down: How to Secure Your Organization's AWS Account
Lock It Down: How to Secure Your Organization's AWS Account
 
Architecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlayArchitecting for Greater Security - London Summit Enteprise Track RePlay
Architecting for Greater Security - London Summit Enteprise Track RePlay
 
Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)Lets talk about: Azure Kubernetes Service (AKS)
Lets talk about: Azure Kubernetes Service (AKS)
 
Azure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle PresentationAzure IaaS Server Lifecycle Presentation
Azure IaaS Server Lifecycle Presentation
 
Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016Microsoft Azure News - Dec 2016
Microsoft Azure News - Dec 2016
 
Azure appservice
Azure appserviceAzure appservice
Azure appservice
 
Best of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - KeynoteBest of reI:nvent Tel Aviv 2015 - Keynote
Best of reI:nvent Tel Aviv 2015 - Keynote
 
Innovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you startInnovation at Scale - Top 10 AWS questions when you start
Innovation at Scale - Top 10 AWS questions when you start
 
Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud Security Developing a Continuous Automated Approach to Cloud Security
Developing a Continuous Automated Approach to Cloud Security
 
Simplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems ManagerSimplify Operations, Compliance and Governance using AWS Systems Manager
Simplify Operations, Compliance and Governance using AWS Systems Manager
 
Automated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrailAutomated Compliance and Governance with AWS Config and AWS CloudTrail
Automated Compliance and Governance with AWS Config and AWS CloudTrail
 
Overview of Amazon Web Services
Overview of Amazon Web ServicesOverview of Amazon Web Services
Overview of Amazon Web Services
 
Infrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security BaselineInfrastructure Security: Your Minimum Security Baseline
Infrastructure Security: Your Minimum Security Baseline
 
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
Operations and Security at Cloud Scale with Amazon EC2 System Manager - AWS S...
 
Wrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS OrganizationsWrangling Multiple AWS Accounts with AWS Organizations
Wrangling Multiple AWS Accounts with AWS Organizations
 

Similar to Azure serverless security

AWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWSAWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWSAmazon Web Services
 
AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013Amazon Web Services
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at ScaleAmazon Web Services
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAmazon Web Services
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricSpiffy
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtHelen Rogers
 
Running your First Application on AWS
Running your First Application on AWS Running your First Application on AWS
Running your First Application on AWS Amazon Web Services
 
Build intelligent solutions using Azure
Build intelligent solutions using AzureBuild intelligent solutions using Azure
Build intelligent solutions using AzureMostafa
 
Azure Functions VS AWS Lambda: overview and comparison
Azure Functions VS AWS Lambda: overview and comparisonAzure Functions VS AWS Lambda: overview and comparison
Azure Functions VS AWS Lambda: overview and comparisonAlex Zyl
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without serversAmazon Web Services
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAmazon Web Services
 
Como construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidoresComo construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidoresAlexandre Santos
 
Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)AWS Vietnam Community
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWSAmazon Web Services
 
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETAzure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETLorenzo Barbieri
 
Build a Website on AWS for Your First 10 Million Users
Build a Website on AWS for Your First 10 Million UsersBuild a Website on AWS for Your First 10 Million Users
Build a Website on AWS for Your First 10 Million UsersAmazon Web Services
 

Similar to Azure serverless security (20)

AWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWSAWS Summit Auckland 2014 | Running your First Application on AWS
AWS Summit Auckland 2014 | Running your First Application on AWS
 
AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013AWS Enterprise Workloads on AWS IP Expo 2013
AWS Enterprise Workloads on AWS IP Expo 2013
 
Introduction to DevOps on AWS
Introduction to DevOps on AWSIntroduction to DevOps on AWS
Introduction to DevOps on AWS
 
Google App Engine overview (GAE/J)
Google App Engine overview (GAE/J)Google App Engine overview (GAE/J)
Google App Engine overview (GAE/J)
 
Best Practices for Security at Scale
Best Practices for Security at ScaleBest Practices for Security at Scale
Best Practices for Security at Scale
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for Government
 
CTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App FabricCTU June 2011 - Windows Azure App Fabric
CTU June 2011 - Windows Azure App Fabric
 
Security Best Practices_John Hildebrandt
Security Best Practices_John HildebrandtSecurity Best Practices_John Hildebrandt
Security Best Practices_John Hildebrandt
 
Microsoft Azure
Microsoft AzureMicrosoft Azure
Microsoft Azure
 
Running your First Application on AWS
Running your First Application on AWS Running your First Application on AWS
Running your First Application on AWS
 
Build intelligent solutions using Azure
Build intelligent solutions using AzureBuild intelligent solutions using Azure
Build intelligent solutions using Azure
 
Azure Functions VS AWS Lambda: overview and comparison
Azure Functions VS AWS Lambda: overview and comparisonAzure Functions VS AWS Lambda: overview and comparison
Azure Functions VS AWS Lambda: overview and comparison
 
Windows Azure
Windows AzureWindows Azure
Windows Azure
 
Building a web application without servers
Building a web application without serversBuilding a web application without servers
Building a web application without servers
 
AWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for GovernmentAWS Webcast - Build Agile Applications in AWS Cloud for Government
AWS Webcast - Build Agile Applications in AWS Cloud for Government
 
Como construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidoresComo construir suas aplicações escaláveis sem servidores
Como construir suas aplicações escaláveis sem servidores
 
Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)Build an app on aws for your first 10 million users (2)
Build an app on aws for your first 10 million users (2)
 
Running your First Application on AWS
Running your First Application on AWSRunning your First Application on AWS
Running your First Application on AWS
 
Azure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNETAzure Cloud Application Development Workshop - UGIdotNET
Azure Cloud Application Development Workshop - UGIdotNET
 
Build a Website on AWS for Your First 10 Million Users
Build a Website on AWS for Your First 10 Million UsersBuild a Website on AWS for Your First 10 Million Users
Build a Website on AWS for Your First 10 Million Users
 

Recently uploaded

Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...caitlingebhard1
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxMarkSteadman7
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard37
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringWSO2
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformWSO2
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceWSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceIES VE
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 

Recently uploaded (20)

Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...Stronger Together: Developing an Organizational Strategy for Accessible Desig...
Stronger Together: Developing an Organizational Strategy for Accessible Desig...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Simplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptxSimplifying Mobile A11y Presentation.pptx
Simplifying Mobile A11y Presentation.pptx
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Choreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software EngineeringChoreo: Empowering the Future of Enterprise Software Engineering
Choreo: Empowering the Future of Enterprise Software Engineering
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data PlatformLess Is More: Utilizing Ballerina to Architect a Cloud Data Platform
Less Is More: Utilizing Ballerina to Architect a Cloud Data Platform
 
API Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governanceAPI Governance and Monetization - The evolution of API governance
API Governance and Monetization - The evolution of API governance
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Decarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational PerformanceDecarbonising Commercial Real Estate: The Role of Operational Performance
Decarbonising Commercial Real Estate: The Role of Operational Performance
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

Azure serverless security

  • 1. AZURE SERVERLESS SECURITY P R A T I K K H A S N A B I S A Z U R E C L O U D A R C H I T E C T ( M C S E & M C S D ) @ S O F T V E D A
  • 2. SERVERLESS ARCHITECTURE “Serverless architectures are application designs that incorporate third-party “Backend as a Service” (BaaS) services, and/or that include custom code run in managed, ephemeral containers on a “Functions as a Service” (FaaS) platform. By using these ideas, and related ones like single-page applications, such architectures remove much of the need for a traditional always-on server component. …” - Martin Fowler SPA App FaaS BaaS
  • 3. SERVERLESS SECURITY • Just because there is no servers to manage doesn’t absolve you from the responsibility of securing your serverless architecture. • Security on cloud is everyone's responsibility including the development team, the SRE/Ops team, Cyber Security team and of course your cloud vendor. • Security controls also depend on the threat model and risks identified for your specific application. There is no one size fits all solution to cyber security.
  • 4. SECURING YOUR AZURE ACCOUNT Your Pa$$word doesn't matter Enabling multi-factor authentication (MFA) for accounts will end up blocking 99.9% of automated attacks.
  • 5. APPSEC PRACTICES Secure coding practices Protect against OWASP Top 10 Do Input validation Logging and Monitoring Enable HTTPS only with TLS 1.2 Framework currency Dependencies vulnerability scans “UK cybersecurity agency warns devs to drop Python 2 due to looming EOL & security risks” “Equifax breach was ‘entirely preventable’ had it used basic security measures, says House report. The credit agency failed to patch a disclosed vulnerability in Apache Struts, a common open source web server.” “Backdoors snuck into 12 OSS packages were downloaded hundreds of thousands of times.”
  • 6. TYPICAL SERVERLESS ARCHITECTURE ON AZURE Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling
  • 7. AZURE BLOBS – STATIC WEBSITE HOSTING https://todoappinsecure.z13.web.core.windows.net/
  • 8. TODO APP - SPA CODE const azureFuncUrl = "https://todoinsecurefunctionapp.azurewebsites.net/api/todo/"; function callSearchAPi() { var id = $("#searchInput").val(); $.ajax({ url: azureFuncUrl + id, type: "GET … } $("#searchBtn").click(function () { clearErrorMessage(); callSearchAPi(); })
  • 11. TODO TABLE STORAGE Connection String in Function App Application Settings
  • 12. IS THIS APP SECURE? Storage blob Storage table Cosmos DB Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling App Config
  • 13. PROBLEM STATEMENT How do we make sure that the REST API calls from the SPA to Azure Function is secure as in only authenticated and authorised users can invoke the Azure Function. How do we make sure that only the Azure Function app can access the backend Database and secure the credential.
  • 14. OAUTH 2.0 IMPLICIT GRANT FLOW
  • 15. REGISTER TODO APP IN AZURE AD
  • 16. REGISTER TODO API FUNCTION IN AZURE AD
  • 17. TODO APP SECURE –SPA CODE
  • 19. ADAL.JS – GET ACESS TOKEN
  • 21. AZURE API MANAGEMENT • Reducing the attack surface • CORS Policy • Validate JWT Policy • Rate limiting
  • 22. PUBLISH TODO FUNCTION APP IN AZURE APIM
  • 24. IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key App Config
  • 25. INSPECT THE JWT ACCESS TOKEN
  • 26. ADD APPLICATION ROLE IN MANIFEST
  • 28. INSPECT THE JWT ACCESS TOKEN
  • 29. TOKEN VALIDATION & ROLE CHECK
  • 30. IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key App Config JWT
  • 31. CREDENTIAL FREE CODE Managed Identity for Azure Resources (aka MSI) – MSI_ENDPOINT – MSI_SECRET
  • 32. CREATE AN IDENTITY FOR THE FUNCTION APP
  • 33. SAVE CONNECTION STRING AS A SECRET IN KV
  • 34. SET A LEAST PRIVILEGE ACCESS POLICY TO THE FUNCTION APP IDENTITY
  • 35. SET THE CONNECTION STRING VALUE IN FUNCTION APP APPLICATION SETTINGS Format is @Microsoft.KeyVault(SecretUri=secret_uri_with_version)
  • 36. IS THIS APP SECURE? Storage blob Storage table Cosmos DB API Management Functions [Single Page App] Serve static content (HTML, CSS, JS, and image files) directly from a storage container named $web. [REST API Gateway] Serverless API management with automated scaling for securing, publishing, and analysing APIs [Backend - Microservice] FaaS in Azure. An event- driven serverless compute platform [Backend – Database] NoSQL Databases in Azure with almost limitless scaling JWT Key MSI JWT
  • 37. SECURE SERVERLESS ARCHITECTURE Azure Active Directory Azure Key Vault API Management Storage blob Static Website Hosting Sign In Open-id config MSI Access Policy GET Static Assets (Unauthenticated) AJAX API Calls API Calls Table Ops GET Secret SPA App (ADAL.js) Storage table CORS policy Validate JWT policy Validate Claims JWT JWTFunction Key Get Access Token Data Store JWT
  • 38. TAKEAWAYS • Implement OAUTH 2.0 Implicit Flow in the SPA to get a access token for the Function App being called • Register the SPA and the Function App in Azure AD as applications • Change Function App application manifest and add “app roles” • Grant roles to users in AD for the Function App application • Publish the Function App in Azure API Management • Validate the JWT token in APIM policy • Check the role in the claims within the JWT in Function App code • Set Managed Identity for the Function App • Stote connection strings as secrets in Azure Key Vault • Grant least privilege access policy to the Function App MSI in the Key Vault • Change the application configuration for Function App to point to Key Vault
  • 39. THANK YOU Pratik Khasnabis Azure Cloud Architect (MCSE & MCSD) @softveda

Editor's Notes

  1. https://martinfowler.com/articles/serverless.html
  2. https://snyk.io/
  3. https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-implicit-grant-flow
  4. https://login.microsoftonline.com/{tenant}/.well-known/openid-configuration
  5. https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity
  6. https://github.com/mspnp/serverless-reference-implementation/blob/master/src/readme.md