Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?

81 views

Published on

Slides from the presentation I made during Global Azure Bootcamp 2018 in Zurich, about Azure Security

Published in: Technology
  • Be the first to comment

  • Be the first to like this

How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?

  1. 1. HOW DO YOU PROTECT A HYBRID PA AS-IA AS SOLUTION, BUILT ENTIRELY IN THE CLOUD? # G LO B A L A Z U R E # A Z U R E Z U R I C H lorenzo.barbieri@microsoft.com @_geniodelmale
  2. 2. EVERYTHING STARTS WITH A “GOOD” ARCHITECTURE Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  3. 3. 1ST STRIKE The case of disappearing resourcesAttack one! Destro y ‘em all! Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  4. 4. MITIGATION Infrastructure as Code: • Script everything • Backup everything DevOps Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  5. 5. REMEDIATION Subscription role protection o RBAC Azure AD could be protected with MFA Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize RG for - Dev-Test - Production
  6. 6. 2ND STRIKE The case of unexpected load Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize Attack two…o…o… oooo! $$$ $RG for - Dev-Test - Production
  7. 7. MITIGATION o Alert rules and monitoring o web.config based IP restriction o Functions in App Service Plan Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  8. 8. REMEDIATION o Web App Firewall o API Management o <NEW> Azure DDOS Protections for VNET Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  9. 9. 3RD STRIKE The case of data and storage loss Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Attack three! I know your secrets! Photo resize +web.config RG for - Dev-Test - Production
  10. 10. MITIGATION o Key rotation o Least user privilege (DB) o Alert Web UI Users Photos URLs RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  11. 11. REMEDIATION o SQL DB Firewall o VNET Storage Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config o Handle Disconnect RG for - Dev-Test - Production
  12. 12. 4TH STRIKE The case of being Gitted Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Fourth Attack! Keys from the octocat! Photo resize +web.config RG for - Dev-Test - Production
  13. 13. REMEDIATION o Move all the keys to a secure path o Use Team Build to set them before deployment o Azure Key Vault o Managed Service Identity (preview) Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config ? RG for - Dev-Test - Production
  14. 14. >_ SSH 5TH STRIKE The case of remote connections Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Remote Attack! Photo resize +web.config >_ SSH RG for - Dev-Test - Production
  15. 15. REMEDIATION o Network Security Groups Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config >_ SSH RG for - Dev-Test - Production
  16. 16. A BETTER ARCHITECTURE Web UI Users Photos URLs +SQL DB Firewall RAW Photos Thumbnails Watermarking Photo resize +web.config RG for - Dev-Test - Production
  17. 17. RECAP – THE 7 GOLDEN RULES • Script everything • Backup everything • Least user privilege • Trust no one • Monitor everything • Assume cloud failure • Protect your secrets
  18. 18. TAKE A LOOK AT AZURE SECURITY CENTER
  19. 19. RESOURCES • “Parts Unlimited” sample site with telemetry and fault injection: – https://microsoft.github.io/PartsUnlimited/ • The “bible of Chaos Engineering”: http://principlesofchaos.org/ • Only for the “Brave”, Netflix Chaos Monkey integrated with Spinnaker: https://github.com/Netflix/chaosmonkey • Cloud Bedlam: https://github.com/GitTorre/CloudBedlamLinux/tree/dotnet-core
  20. 20. THANK YOU VERY MUCH! • Feedbacks are important! • Tweet: @_geniodelmale #GlobalAzure #AzureZurich or send me an email  lorenzo.barbieri@microsoft.com @_geniodelmale

×