In today's cloud era, admins struggle to keep their IT infrastructures safe. Cloud security is joint responsibility and what we need is a new approach!
In this session, you will learn how to securely deploy and maintain Azure infrastructure solutions, why automation is essential, what network security and encryption options you have, and how access control can prevent you from having sleepless nights.
We will successfully attack an Azure environment live on stage, dive deep into Azure Security Center, and see how we can use it to ultimately secure IT infrastructures on premises, hybrid, and on Azure.
3. Innovative technology consulting for business.
Azure Infrastructure
SecurityUltimate security in the cloud era
Tom Janetscheck, Principal Cloud Security Architect &
Microsoft MVP
4. about me.
Tom Janetscheck
Principal Cloud Security Architect @ Devoteam Alegri
Focused on Azure Identity, Security, Governance, and Infrastructure
Community Lead of Azure Meetup Saarbrücken
Co-organizer of Azure Saturday
Tech blogger and book author
@azureandbeyond
https://blog.azureandbeyond.com
5. ● Cloud security challenges
Why is cloud security so difficult and identity security so
important?
● Azure Governance
Define your guardrails to enable security
● Azure Security Center
Improve your hybrid cloud security posture
● Microsoft Intelligent Security
Graph
Unique insights, informed by trillions of signals
● Best practices
● Demo
agenda.
6. Federal criminal agency – 2018 cybercrime situation report
87.000 cases of cybercrime in
2018
60.000.000 € amount of
damage with an immense dark
figure
Estimated amount of damage
according to Bitcom: 100.000.000.000
(!) € per yearSource: BKA - 2018 Cybercrime situation report
7. Today‘s cloud security challenges
Increasingly
sophisticated attacks
It’s both, a strength and a challenge
of the cloud. How do you make sure
that ever-changing services are up to
your security standards?
Attack automation and evasion
techniques are evolving along
multiple dimensions
We need human expertise,
adaptability, and creativity to combat
human threat actors.
9. Cloud Security is a Shared Responsibility
Securing and managing the cloud foundation
JOINT RESPONSIBILITYMICROSOFT COMMITMENT
Physical assets
Datacenter operations
Cloud infrastructure
Securing and managing your cloud resources
Virtual machines
Applications & workloads
Data
10. Governance – a definition
Establishment of policies, and
continuous monitoring of their
proper implementation, by the
members of the governing body of
an organization[…]1
1Source: BusinessDictionary
11. 5 tips and best practices
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags and
policies
Secure
your
network
Monitor your
resources
12.
13. 5 tips and best practices
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags and
policies
Secure
your
network
Monitor your
resources
14. 5 tips and best practices
Protect your
IDs and
implement
RBAC
Use tags
and
policies
Secure your
network
Monitor
your
resources
Common
Sense
18. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
19. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],
20. Role-based access control
1. Security principal = user, group, service principal
2. Role definition = set of management rights
3. Scope = MG, subscription, RG, resource
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
Contributor
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Authorization/*/Delete"
"Authorization/*/Write"
"Authorization/elevateAccess/Action"
],
"dataActions": [
],
"notDataActions": [
],
}
],
Azure
subscription
Resource
group
Management Group
21. Role-based access control – Role assignment
Owner
Contributor
Reader
…
Backup Operator
Security Reader
User Access Administrator
Virtual Machine Contributor
Reader Support Tickets
Virtual Machine Operator
Built in
Custom
"actions": [
"*"
],
"notActions": [
"Auth/*/Delete"
"Auth/*/Write"
"Auth/elevate…
],
Azure
subscription
Resource
group
Management Group
DevOps Group
Contributor
DevOps Resource
Group
Role Assignment
22. 5 tips and best practices
Protect your
IDs and
implement
RBAC
Use tags
and
policies
Secure your
network
Monitor
your
resources
Common
Sense
23. 5 tips and best practices
Use tags
and policies
Secure
your
network
Monitor your
resources
Common
Sense
Protect your
IDs and
implement
RBAC
24. Resource Tags
Name:Value, e.g. CostCenter:ProdIT, ResourceOwner:Tom
Help to define responsibility and view consolidated billing
Always tag RGs
• Owner
• Dept
• CostCenter
• […]
Tag resources as needed
Define tags in advance
25. Resource Policies
Rule enforcements on MG, subscription or RG level
Initiative definitions vs. Policy definitions
Effect types:
• Append
• Deny
• Audit
26. 5 tips and best practices
Use tags
and policies
Secure
your
network
Monitor your
resources
Common
Sense
Protect your
IDs and
implement
RBAC
27. 5 tips and best practices
Secure your
network
Monitor
your
resources
Common
Sense
Protect
your IDs
and
implement
RBAC
Use tags
and policies
32. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats
33. Strengthen your security posture
Identify shadow IT
subscriptions
Optimize and
improve resource
security
Continous
assessments
34. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats
35. Adaptive threat prevention
Advanced Threat Protection
Native integration with
Microsoft Defender ATP for
Windows machines
Advanced Threat Detection
for Linux machines
36. Microsoft Azure Security Center
Security Center assesses your
environment and enables you to
understand the status of your
resources, and whether they are
secure.
Enable actionable, adaptive
protections that identify and mitigate
risk to reduce exposure to attacks
Use advanced analytics and Microsoft
Intelligent Security Graph to rapidly
detect and respond to evolving cyber
threats
39. Protect your cloud
storage/networkin
g!
Data leaks in the cloud often refer
to unprotected/publicly available
storage accounts or configuration
issues in both, platform and
infrastructure services.
40. Protect your
identities!
Most of today’s cyber attacks are
identity-focused. Keep that in
mind when planning your security
strategy.
42. Monitor the heck
out of
everything!
You need to know what’s going on
in your environment. Massive
telemetry is necessary!
43. Repeat!
Cloud security is an ongoing
process. Make sure you regularly
assess your current configuration
by leveraging automation tools.
44. Witness on-stage live attacks, see
adaptive identity protection,
passwordless signins and MFA, and
learn how Azure Security Center can
help you to protect your hybrid cloud
environment.
demo.