Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Sponsored & Brought to you by
Enter The Matrix: Securing Azure’s Assets
Mike Martin
http://www.twitter.com/techmike2kx
htt...
Enter the Matrix.
Securing Azure’s Assets
Mike MARTIN, Architect
Crosspoint Solutions
Mike Martin
Who Am I
View more tips on my blog
http://techmike2kx.wordpress.com
Crosspoint Solutions (part of Cronos)
Wher...
Journey to the Cloud
DIFFERENTIATION
AGILITY
COST
SaaS Solutions
Higher-level services
Cloud Infrastructure
AZURE REGIONS
Latest launch was in October 2015-
India – Central, India – South, India – West
GENERALLY AVAILABLE
6 new re...
Platform Services
Infrastructure Services
Web Apps
Mobile
Apps
API
Management
API Apps
Logic Apps
Notification
Hubs
Conten...
The Matrix
Physical Defenses
Azure Edge Defenses
Your defenses
Your App / code
Microsoft Azure
Shared responsibility
REDUCES SECURITY COSTS + MAINTAINS FLEXIBILITY, ACCESS, & CONTROL
Customer Microsoft...
Model Realworld
Attacks
• Model Emerging
Threats, Use
Blended Threats
• Exfiltrate &
Leverage
Compromised
Data
• Escape An...
Exercises Ability To
Detect & Respond
• Detect Attack &
Penetration
(MTTD)
• Respond &
Recover To Attack
& Penetration
(MT...
Trusted Cloud Principles
Assume Breach
Physical data center security
Cameras
24X7 security staff
Barriers
Fencing
Alarms
Two-factor access control:
Biometric rea...
Secure Multi-Tenancy Architecture
• Centrally manages the platform and helps
isolate customer environments using the
Fabri...
Data Segregation
Storage isolation:
• Access is through Storage account keys and Shared
Access Signature (SAS) keys
• Stor...
Azure platform services infrastructure protection
1. Azure Protection
Layer A: The Network Access Layer
Layer B: Azure’s D...
Azure
Customer
DDoS System Protection Overview
MSFT Routing Layer
Detection Pipeline
Profile DB
Scrubbing Array
SLB
Application
Attack Tr...
Threat Protection
• Performs big data analysis of logs for
intrusion detection & prevention for the
platform
• Employs den...
Customer 2
INTERNET
Isolated Virtual
Networks
Customer 1
Isolated Virtual
Network
Deployment X Deployment X Deployment Y
P...
!
Azure Active Directory 2FA Mandatory
Active Directory
Microsoft Azure
Active Directory
• Secure access management requires...
Threat Protection
• Uses password hashes for synchronization
• Offers security reporting that tracks inconsistent traffic
...
Transparency & independent verification
AIDS CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS
Best practices
and gui...
Global datacenter footprint
100+ Datacenters in over 40 countries
Azure
Customer
and
• Public preview now available globally!
RMS SDK.NET Crypto
SQL TDE Bitlocker Partners EFS
Bitlocker StorSimple
Operations
Security
Assurance
HIPAA/
HITECH
CJISSOC 1
201220112010
SOC 2
FedRAMP
P-ATO
FISMA
ATO
UK G-Cloud OFFICIAL
2013 ...
Data Deletion
Data destruction
• Wiping is NIST 800-88 compliant
• Defective disks are destroyed
• Index immediately remov...
Data use policies
Azure does not share
data with its advertiser-
supported services
Azure does not mine
Customer Data for
...
• Portal access
• Uses Live ID (Microsoft Account)
• Go to http://manage.windowsazure.com
• Role: Service Administrator or...
• Portal access
• Uses Live ID (Microsoft Account) –> Better have AAD / Org ID +
MFA
• Implement RBAC  JEA principle
• Ma...
• Network Security Groups
• Firewalls before the
Gateways
• ACL’s
• inside the guest OS firewall
• Network ACLs on public ...
Role Based Access in Azure – aka RBAC
• Role
• Collection of actions
• Role Assignment
• Access is granted to AAD
users an...
RBAC in Azure
•Portal Management •Powershell
foreach ($roledef in Get-AzureRMRoleDefinition) {
Write-Host 'Role: '$roledef...
Microsoft Azure
IaaS SaaSPaaS
Microsoft Azure Key Vault
Import
keys
HSM
KeyVault
Safeguard cryptographic keys and
other se...
SQL Server Scenario
Applying to Azure - Infrastructure
• Port scanning: the only open ports are those defined by us!
• Denial of service:
• Ex...
•Endpoints
•Antimalwae extensions
•Storage access
•Bitlocker Support on Disks
VM Security
Configuring Virtual Machine Security
• Firewall rules
• Leveraging public/private/domain profiles
• Access control lists (...
Endpoint ACL’s
Using Network ACLs, you can do the following:
• Selectively permit or deny incoming traffic based on remote...
Network Security Groups (NSG)
• Enables network segmentation & DMZ
scenarios
• Access Control List
• Filter conditions wit...
DMZ in a Virtual Network
Web Proxy
App Servers
Database
DMZ
DNS Servers
NSG
NSG
NSG
NSG
Security considerations when using NSG
•Endpoint ACLs and Network Security Groups don’t
work together
•Multi-NIC : for now...
Azure Application Gateway
 Azure-managed, first
party virtual appliances
 HTTP routing based on
app-level policies
 Coo...
ARM/PS
cmdlets
HOST
1. Customer opt into enabling disk encryption
2. Customer provide identity and other encryption
config...
Applying to Azure - applications
• Use custom domains instead of myapp.cloudapp.net
and scope cookies to your custom domai...
Your identity goes with you
3rd party clouds/hosting
Azure AD
You
Self-service Single
sign on
•••••••••••
Username
Identity as the control plane
Simple
connection
Cloud
SaaS
Azure
Office 3...
Microsoft Azure Active Directory
Cloud App Discovery
10x
Source: Help Net Security 2014
as many Cloud apps are in use
than...
Azure Active Directory Connect*
Microsoft Azure
Active Directory
Other Directories
PowerShell
LDAP v3
SQL (ODBC)
Web Servi...
IT professional
alerts.
B2B: cross-organization collaboration
“I need to let my partners access my company’s apps using their own credentials.”
Sh...
Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of
thousands to million...
Cloud Domain Join makes it possible to connect work-owned
Windows devices to your company’s Azure Active Directory
tenancy...
Azure AD : Identity driven security
SSO + MFA
Conditional access
Cloud App Discovery
Advanced security reporting
Privilege...
Log Management – Collect, correlate and visualize all your machine data
OMS Log Analytics
Machine data
from
on-premises an...
•
•
•
•
•
•
OMS Agent For Linux
What sorts of data can I collect?
•Syslog: Collect your choice of syslog events from rsyslog and syslo...
How Data Flows to OMS
Microsoft
Operations Management Suite
Your Environment
Portal
‘multiple’ mgmt groups
https://preview...
Introducing
Unified view of all security related information,
relevant threats and recommendations
Central management of security poli...
Define policies for your Azure subscriptions
according to your company security needs
Security recommendations guide resou...
Constantly collects, analyzes, and fuses
security events from your Azure resources, the
network, and integrated partner so...
Staying connected
http://azure.microsoft.com/en-us/support/trust-center/
http://blogs.msdn.com/b/azuresecurity/
https://az...
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Enter The Matrix Securing Azure’s Assets
Upcoming SlideShare
Loading in …5
×

Enter The Matrix Securing Azure’s Assets

1,269 views

Published on

This talk is mainly on the security aspects of Azure, in any context. you’ll get an overview on where security is handled, some practices and how to monitor and act accordingly to certain threats and issues. It will focus on IaaS, PaaS and SaaS. As security is an integral part of an environment, the integration aspect is not far away. Focus products include Azure and all related services.

Published in: Technology
  • Be the first to comment

Enter The Matrix Securing Azure’s Assets

  1. 1. Sponsored & Brought to you by Enter The Matrix: Securing Azure’s Assets Mike Martin http://www.twitter.com/techmike2kx https://be.linkedin.com/in/techmike2kx
  2. 2. Enter the Matrix. Securing Azure’s Assets Mike MARTIN, Architect Crosspoint Solutions
  3. 3. Mike Martin Who Am I View more tips on my blog http://techmike2kx.wordpress.com Crosspoint Solutions (part of Cronos) Where I Work Architect, Windows Azure MVP, MEET, Insider What I Do @Techmike2kx Mike.Martin@csps.be Where To Find Me
  4. 4. Journey to the Cloud DIFFERENTIATION AGILITY COST SaaS Solutions Higher-level services Cloud Infrastructure
  5. 5. AZURE REGIONS Latest launch was in October 2015- India – Central, India – South, India – West GENERALLY AVAILABLE 6 new regions announced: Canada Central, Canada East, Germany Central, Germany North East, United Kingdom (2 – regions TBD)
  6. 6. Platform Services Infrastructure Services Web Apps Mobile Apps API Management API Apps Logic Apps Notification Hubs Content Delivery Network (CDN) Media Services BizTalk Services Hybrid Connections Service Bus Storage Queues Hybrid Operations Backup StorSimple Azure Site Recovery Import/Export SQL Database DocumentDB Redis Cache Azure Search Storage Tables Data Warehouse Azure AD Health Monitoring AD Privileged Identity Management Operational Analytics Cloud Services Batch RemoteApp Service Fabric Visual Studio App Insights Azure SDK VS Online Domain Services HDInsight Machine Learning Stream Analytics Data Factory Event Hubs Mobile Engagement Data Lake IoT Hub Data Catalog Security & Management Azure Active Directory Multi-Factor Authentication Automation Portal Key Vault Store/ Marketplace VM Image Gallery & VM Depot Azure AD B2C Scheduler
  7. 7. The Matrix Physical Defenses Azure Edge Defenses Your defenses Your App / code
  8. 8. Microsoft Azure Shared responsibility REDUCES SECURITY COSTS + MAINTAINS FLEXIBILITY, ACCESS, & CONTROL Customer Microsoft On-Premises IaaS PaaS SaaS
  9. 9. Model Realworld Attacks • Model Emerging Threats, Use Blended Threats • Exfiltrate & Leverage Compromised Data • Escape And Evade / Persistence Identify Gaps In Security Story • Measure Time To Compromise (Mttc) / Pwnage (Mttp) • Highlight Security Monitoring & Recovery Gaps • Improve Incident Response Demonstrable Impact • Prove Need For Assume Breach • Enumerate Business Risks • Justify Resources, Priorities & Investment Needs
  10. 10. Exercises Ability To Detect & Respond • Detect Attack & Penetration (MTTD) • Respond & Recover To Attack & Penetration (MTT) • Practiced Incident Response Enhances Situational Awareness • Produces Actionable Intelligence • Full Visibility Into Actual Conditions Within Environment • Data Analysis & Forensics For Attack & Breach Indicators Measure Readiness & Impact • Accurately Assesses Real- world Attacks • Identifies Gaps & Investment Needs • Focus On Slowing Down Attackers & Speeding Recovery • Hardening That Prevents Future Attacks
  11. 11. Trusted Cloud Principles
  12. 12. Assume Breach
  13. 13. Physical data center security Cameras 24X7 security staff Barriers Fencing Alarms Two-factor access control: Biometric readers & card readers Security operations center Days of backup power Seismic bracing BuildingPerimeter Computer room
  14. 14. Secure Multi-Tenancy Architecture • Centrally manages the platform and helps isolate customer environments using the Fabric Controller • Runs a configuration-hardened version of Windows Server as the Host OS • Uses Hyper-V, a battle tested and enterprise proven hypervisor • Runs Windows Server and Linux on Guest VMs for platform services • Manages their environment through service management interfaces and subscriptions • Chooses from the gallery or brings their own OS for their Virtual Machines Azure Customer SQL Database Fabric Controller Azure Storage Guest VM Guest VM Customer 2 Guest VM Customer 1 Customer Admin Portal SMAPI Host OS Hypervisor Microsoft Azure End Users 25
  15. 15. Data Segregation Storage isolation: • Access is through Storage account keys and Shared Access Signature (SAS) keys • Storage blocks are hashed by the hypervisor to separate accounts SQL isolation: • SQL Database isolates separate databases using SQL accounts Network isolation: • VM switch at the host level blocks inter-tenant communication • Design same principles for multi-tenancy Azure Customer 26 Fabric Controller Customer Admin Guest VM Guest VM Customer 2 Guest VM Customer 1Portal SMAPI End Users Host OS Hypervisor Microsoft Azure Azure Storage SQL Database Access Control
  16. 16. Azure platform services infrastructure protection 1. Azure Protection Layer A: The Network Access Layer Layer B: Azure’s DDoS/DOS/IDS Layer Layer C: Host firewalls protect all the hosts, and the VLANs Layer D: Conformance with security and privacy requirements includes two-factor authentication for operators. 2. Customer protection: Layers 1-2: The distributed firewall isolates customer’s Layer 3: The virtual network can be managed similar to an on-premises private network. i. Inside the VM: Firewalls, IDS, and DoS solutions. ii. Virtual network appliances
  17. 17. Azure Customer
  18. 18. DDoS System Protection Overview MSFT Routing Layer Detection Pipeline Profile DB Scrubbing Array SLB Application Attack Traffic Scrubbed Traffic Flow Data Routing Updates Internet • Traffic is re-routed to scrubbers via dynamic routing updates • Traffic is SYN auth. and rate limited MITIGATION PROCESS • Traffic to a given /32 VIP Inbound or Outbound is tracked, recorded, and analyzed in real time to determine attack behavior DETECTION PROCESS • TCP SYN • UDP/ICMP/TCP Flood SUPPORTED DDOS ATTACK PROFILES 30
  19. 19. Threat Protection • Performs big data analysis of logs for intrusion detection & prevention for the platform • Employs denial of service attack prevention measures for the platform • Regularly performs penetration testing • Can add extra layers of protection by deploying additional controls, including DOS, IDS, web application firewalls • Conducts authorized penetration testing of their application Azure Customer Customer Environment Cloud Access & Firewall Virtual network Application tier Logic tier Database tier VPN Corp 1 Internet End Users 443 443 Microsoft Azure THREAT DETECTION: DOS/IDS Capabilities 32
  20. 20. Customer 2 INTERNET Isolated Virtual Networks Customer 1 Isolated Virtual Network Deployment X Deployment X Deployment Y Portal Smart API Customer Admin VNET to VNET Cloud Access Layer Web Endpoint (public access) RDP Endpoint (password access) Client Client VPN Corp 1 Microsoft Azure Portal SMAPI
  21. 21. !
  22. 22. Azure Active Directory 2FA Mandatory Active Directory Microsoft Azure Active Directory • Secure access management requires strong, centralized, identity management. • Active Directory (AD) helps you with that on-premises. • Azure Active Directory (AAD) helps you in Azure…and in Office 365, and in 1200+ apps. • AD and AAD are tightly integrated, to enable single sign- on, a single directory, and centralized management. • AD and AAD help address your compliance requirements. Azure Active Directory (AAD) integration • Two Factor Authentication can be implemented with Phone Factor or with AD on-premises. Use Two Factor Authentication or DevOPs to access your production services 35
  23. 23. Threat Protection • Uses password hashes for synchronization • Offers security reporting that tracks inconsistent traffic patterns, including: • Sign ins from unknown sources • Multiple failed sign ins • Sign ins from multiple geographies in short timeframes • Sign ins from suspicious IP addresses and suspicious devices • Reviews reports and mitigates potential threats • Can enable Multi-Factor Authentication Azure Customer User Non-user
  24. 24. Transparency & independent verification AIDS CUSTOMERS IN MEETING SECURITY & COMPLIANCE OBLIGATIONS Best practices and guidance Third-party verification Cloud Security Alliance Security Intelligence report Compliance packages Trust Center Access to audit reports Security Response Center progress report
  25. 25. Global datacenter footprint 100+ Datacenters in over 40 countries
  26. 26. Azure Customer
  27. 27. and • Public preview now available globally! RMS SDK.NET Crypto SQL TDE Bitlocker Partners EFS Bitlocker StorSimple
  28. 28. Operations Security Assurance HIPAA/ HITECH CJISSOC 1 201220112010 SOC 2 FedRAMP P-ATO FISMA ATO UK G-Cloud OFFICIAL 2013 2014 2015 ISO/IEC 27001:2005 CSA Cloud Controls Matrix PCI DSS Level 1 AU IRAP Accreditation Singapore MCTS ISO/IEC 27018 EU Data Protection Directive CDSA
  29. 29. Data Deletion Data destruction • Wiping is NIST 800-88 compliant • Defective disks are destroyed • Index immediately removed from primary location • Geo-replicated copy of the data (index) removed asynchronously • Customers can only read from disk space they have written to Disk Handling
  30. 30. Data use policies Azure does not share data with its advertiser- supported services Azure does not mine Customer Data for advertising Read the fine print of other cloud service provider’s privacy statements
  31. 31. • Portal access • Uses Live ID (Microsoft Account) • Go to http://manage.windowsazure.com • Role: Service Administrator or Co-Administrator • Uses special REST API without providing certificate • Management certificate • Certificate can be self-signed • Does not check certificate expiration • Used by PowerShell • Used by REST API • Storage access • Uses secret key • Or anonymous share access • RDP VM access • Uses username/password Authentication and Access (4x)
  32. 32. • Portal access • Uses Live ID (Microsoft Account) –> Better have AAD / Org ID + MFA • Implement RBAC  JEA principle • Management certificate • ARE EVIL !!!!! • Only Use them in a management solution when that is the ONLY option! • Storage access • I’v got the key … I’ve got ALL your Secrets • If needed? IMPLEMENT KEY VAULT! • RDP VM access • Harden from the outside , and access through GW / S2S / ER • Better implement SSH / PoSh Remoting over SSL Authentication and Access … BUT…!
  33. 33. • Network Security Groups • Firewalls before the Gateways • ACL’s • inside the guest OS firewall • Network ACLs on public IP addresses • Network ACLs at the corporate firewall • IPsec inside the guest OS • Network Isolation Network Security
  34. 34. Role Based Access in Azure – aka RBAC • Role • Collection of actions • Role Assignment • Access is granted to AAD users and services role assignment on the resources. • Azure AD Security Principals • Roles can be assigned to the following types of Azure AD security principals: • Users • Groups • Service principals
  35. 35. RBAC in Azure •Portal Management •Powershell foreach ($roledef in Get-AzureRMRoleDefinition) { Write-Host 'Role: '$roledef.Name Write-Host 'Actions' (Get-AzureRMRoleDefinition -Name $roledef.Name).Actions Write-Host 'NoActions' (Get-AzureRoleRMDefinition -Name $roledef.Name).NoActions Write-Host ([Environment]::NewLine) }
  36. 36. Microsoft Azure IaaS SaaSPaaS Microsoft Azure Key Vault Import keys HSM KeyVault Safeguard cryptographic keys and other secrets used by cloud apps and services • Increase security and control over keys and passwords • Create and import encryption keys in minutes • Applications have no direct access to keys • Use FIPS 140-2 Level 2 certified HSMs • Reduce latency with cloud scale and global redundancy
  37. 37. SQL Server Scenario
  38. 38. Applying to Azure - Infrastructure • Port scanning: the only open ports are those defined by us! • Denial of service: • External: depends on our settings, but the Fabric Controller tries to identify the attacks • Internal: all DOS attacks initiated from internal VMs will result in removing those VMs from the network • Spoofing: compromised machines cannot impersonate VMs from the Fabric Controller (broadcast and multicast are blocked, https between VMs and FC) • Sniffing: the Hyper-V switch prevents sniffing from a VM to another VM on the same host; racks switches block it to other VMs • VMs are untrusted by the Root OS Hypervisor
  39. 39. •Endpoints •Antimalwae extensions •Storage access •Bitlocker Support on Disks VM Security
  40. 40. Configuring Virtual Machine Security • Firewall rules • Leveraging public/private/domain profiles • Access control lists (ACL) • Controls port access through at subnet level • IP address blacklisting • VM endpoint rules (up to 50 per endpoint) • Rule ordering • Encryption • DPAPI not supported for cloud service • Secure key data with encryption keys • CloudLink
  41. 41. Endpoint ACL’s Using Network ACLs, you can do the following: • Selectively permit or deny incoming traffic based on remote subnet IPv4 address range to a virtual machine input endpoint. • Blacklist IP addresses • Create multiple rules per virtual machine endpoint • Specify up to 50 ACL rules per virtual machine endpoint • Use rule ordering to ensure the correct set of rules are applied on a given virtual machine endpoint (lowest to highest) • Specify an ACL for a specific remote subnet IPv4 address.
  42. 42. Network Security Groups (NSG) • Enables network segmentation & DMZ scenarios • Access Control List • Filter conditions with allow/deny • Individual addresses, address prefixes, wildcards • Associate with VMs or subnets • ACLs can be updated independent of VMs Virtual Network Backend 10.3/16 Mid-tier 10.2/16 Frontend 10.1/16 VPN GW Internet On Premises 10.0/16 S2S VPNs Internet
  43. 43. DMZ in a Virtual Network Web Proxy App Servers Database DMZ DNS Servers NSG NSG NSG NSG
  44. 44. Security considerations when using NSG •Endpoint ACLs and Network Security Groups don’t work together •Multi-NIC : for now the Network Security Group rules apply only to the traffic in primary NIC •For RDP endpoints for VM’s and Network Security Group : NSG does not allow access to any port from Internet, you have to create a specific rule to allow RDP traffic.
  45. 45. Azure Application Gateway  Azure-managed, first party virtual appliances  HTTP routing based on app-level policies  Cookies affinity  URL hash  SSL termination and caching
  46. 46. ARM/PS cmdlets HOST 1. Customer opt into enabling disk encryption 2. Customer provide identity and other encryption configuration to Azure Portal/API to provision encryption key material* in their key vault 3. Azure service management updates service model with encryption and key vault configuration and Azure platform push the encryption extension on the VM 4. Encryption extension initiate encryption on the VM 5. VM is encrypted * Key Material – BitLocker Encryption Keys [Windows], Passphrase [Linux] Azure Active Directory Azure Storage Customer Key Vault Virtual Machine Service Management Encryption Extension Encrypted Disks Encryption Configuration
  47. 47. Applying to Azure - applications • Use custom domains instead of myapp.cloudapp.net and scope cookies to your custom domain; scripting! • Access to Azure Storage using Shared Access Signatures; attention to REST query injection • SQL Database: pay attention to SQL Injection; no TDE • Auditing -> Azure Tables • Authentication using Azure’s ACS, Azure AD, Windows Identity Foundation -> rely on existing patterns and user stores!
  48. 48. Your identity goes with you 3rd party clouds/hosting Azure AD You
  49. 49. Self-service Single sign on ••••••••••• Username Identity as the control plane Simple connection Cloud SaaS Azure Office 365Public cloud Other Directories Windows Server Active Directory On-premises Microsoft Azure Active Directory
  50. 50. Microsoft Azure Active Directory Cloud App Discovery 10x Source: Help Net Security 2014 as many Cloud apps are in use than IT estimates • SaaS app category • Number of users • Utilization volume Comprehensive reporting Discover all SaaS apps in use within your organization
  51. 51. Azure Active Directory Connect* Microsoft Azure Active Directory Other Directories PowerShell LDAP v3 SQL (ODBC) Web Services ( SOAP, JAVA, REST) *
  52. 52. IT professional
  53. 53. alerts.
  54. 54. B2B: cross-organization collaboration “I need to let my partners access my company’s apps using their own credentials.” Share without complex configuration or duplicate users. A user at a large partner may log into my company’s apps with their Active Directory usernames and passwords. A user at a smaller partner may log into my company’s apps with their Office 365 usernames and passwords. Admin configures sharing for cloud apps. “I can’t email my 25 MB file and need to share it with a partner using Box.com.” Seamlessly provide Azure Active Directory to customers & partners For example, a user at a partner can set up everyone in their company. Users can bring their own email-based or social identities.
  55. 55. Azure Active Directory B2C offering is tailored for enterprises who serve large populations (100’s of thousands to millions) of individual customers, and whose business success depends upon consumer adoption of web applications for improving customer satisfaction and reducing operational costs. Azure Active Directory B2C(Business-to-Consumer ) AzureActiveDirectoryB2Cwill include: Self-Service User registration Login with Social IdP or create your own credentials Optional MFA Bulk user import tools SSO to multiple web sites User interface customization
  56. 56. Cloud Domain Join makes it possible to connect work-owned Windows devices to your company’s Azure Active Directory tenancy in the cloud. Users can sign-in to Windows with their cloud-hosted work credentials and enjoy modern Windows experiences. Cloud Domain Joined Devices EnterprisecompliantServices RoamingSettings,Windowsbackup/Restore,Storeaccess… DatastoredinenterprisecompliantbackendservicesonAzure. NoneedtoaddapersonalMicrosoftaccount. SSOfromthedesktoptoorg resources SSOfromdesktoptoOffice365and1,000’sofenterpriseapps,websites andresources. Accessenterprise-curatedStoreandinstallappsusingaworkaccount. Management AutomaticMDMenrollmentduringfirst-runexperience. Supportfor hybrid environments TraditionalDomainJoinedPCsalsobenefitfromCloudDomainJoin functionalitywhentheon-premActiveDirectoryisconnectedwithan AzureActiveDirectoryinthecloud. Cloud Domain Join
  57. 57. Azure AD : Identity driven security SSO + MFA Conditional access Cloud App Discovery Advanced security reporting Privileged Identity Management
  58. 58. Log Management – Collect, correlate and visualize all your machine data OMS Log Analytics Machine data from on-premises and Cloud Insights OperationalInsights AZURE BLOB SEARCH SERVICE PORTAL DATA PROCESSING ENGINE Troubleshooting  Correlate & Search data from multiple sources  Collect custom data types  Build dashboards powered by search queries Operation Insights  Forecast future capacity needs and pinpoint performance bottlenecks  Check your update and malware protection status Security Intelligence  Identify security breaches  Meet compliance requirements for auditing  Analyze security data REAL TIME DASHBOARDS & REPORTING SCALABLESEARCH READY MADE INTELLIGENCE Key Benefits: Event Logs | IIS Logs | Security Logs Performance Counters | Syslog | & many more Machine Data Windows & Linux Server Servers forwarding data through SCOM Windows & Linux Server Servers directly forwarding data Cloud VMs
  59. 59. • • • • • •
  60. 60. OMS Agent For Linux What sorts of data can I collect? •Syslog: Collect your choice of syslog events from rsyslog and syslog-ng •Performance Metrics: We can collect 70+ performance metrics at a 30 second granularity using our new. Get metrics from the following objects: System, Processor, Memory & Swap space, Process, Logical Disk (File System) and Physical Disk. Full list of Performance Counters. •Docker container logs, metrics & inventory: We show information about where your containers and container hosts are, which containers are running or failed, and Docker dameon and container logs sent to stdout and stderr. We also show performance metrics such as CPU, memory, network and storage for the container and hosts to help you troubleshoot and find noisy neighbor containers. We support Docker version 1.8+. •Alerts from Nagios + Zabbix: The agent can collect alerts from your most popular monitoring tools. This allows you to view all your alerts from all your tools in a single pain of glass! Combine this with our existing support for collection of alerts from Operations Manager. We currently support Nagios 3+ and Zabbix 2.x. •Apache & MySQL performance metrics: Collect performance metrics about your MySQL/MariaDB server performance and databases and Apache HTTP Servers and Virtual Hosts.
  61. 61. How Data Flows to OMS Microsoft Operations Management Suite Your Environment Portal ‘multiple’ mgmt groups https://preview.systemcenteradvisor.com/Content/AdvisorCore/Resources/Security.pdf
  62. 62. Introducing
  63. 63. Unified view of all security related information, relevant threats and recommendations Central management of security policies, network configuration, virtual machine baselines, etc. Integrated security event logging and monitoring, including events from partner solutions
  64. 64. Define policies for your Azure subscriptions according to your company security needs Security recommendations guide resource owners through the process of implementing required controls Rapidly deploy security services and appliances from Microsoft and partners, like firewalls and endpoint protection
  65. 65. Constantly collects, analyzes, and fuses security events from your Azure resources, the network, and integrated partner solutions Leverages global threat intelligence from Microsoft products and services, Digital Crime and Incident Response Centers, and third party feeds Creates prioritized security alerts with insight into the attack and recommendations on how to remediate
  66. 66. Staying connected http://azure.microsoft.com/en-us/support/trust-center/ http://blogs.msdn.com/b/azuresecurity/ https://azure.microsoft.com/en-us/blog/microsoft-azure-network-security- whitepaper-version-3-is-now-available/

×