Security can be applied at various levels. We’ll see the adventure of two friends building a web solution, but one of them is trying to sabotage from the inside. We’ll see if the loyal friend will succeed in protecting all the work, and how the solution should evolve to be more secure!
How do you protect a hybrid PaaS-IaaS solution, built entirely in the cloud?
1. #azuresatpn
How do you protect a hybrid Paas-iaas
solution, built entirely in the cloud?
lorenzo.barbieri@microsoft.com
@_geniodelmale
2. EVERYTHING STARTS WITH A “GOOD”
ARCHITECTURE
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production
3. 1ST STRIKE
The case of
disappearing
resourcesAttack
one!
Destro
y ‘em
all!
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production
4. MITIGATION
Infrastructure as Code:
• Script & Backup
everything
• ARM & Azure Policy
PaaS safeguards:
o Azure Web App
Undelete
o SQL Point in time
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
RG for
- Dev-Test
- Production
6. 2ND STRIKE
The case of
unexpected
load
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
Attack
two…o…o…
oooo!
$$$
$RG for
- Dev-Test
- Production
7. MITIGATION
o Alert rules and
monitoring
o web.config based IP
restriction
o Functions in App
Service Plan
o App Service
Diagnostics
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
9. APP SERVICE DIAGNOSTICS
• An interactive and intelligent experience for
self-troubleshooting your app issues
• What does that actually mean?
• 🔒Diagnose and troubleshoot your app issues
and learn about best practices
• 🎨Use Genie to guide you through each
problem category tile
• 📈 Intelligent search capabilities
• 🌏Straight out-of-the box, no extra
configuration necessary
10. 3RD STRIKE
The case of
data and
storage loss
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Attack
three!
I know
your
secrets!
Photo resize
+web.config
RG for
- Dev-Test
- Production
11. MITIGATION
o Key rotation
o Least user
privilege (DB)
o Alert
Web UI
Users
Photos URLs
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
12. REMEDIATION
o SQL DB Firewall
o VNET Storage
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
o Handle Disconnect
RG for
- Dev-Test
- Production
13. 4TH STRIKE
The case of
being Gitted
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Fourth
Attack!
Keys
from the
octocat!
Photo resize
+web.config
RG for
- Dev-Test
- Production
14. REMEDIATION
o Move all the keys to
a secure path
o Use Team Build to set
them before
deployment
o Azure Key Vault
o Managed Service
Identity
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
?
RG for
- Dev-Test
- Production
15. >_
SSH
5TH STRIKE
The case of
remote
connections
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Remote
Attack!
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
16. MITIGATION
o Patching and
security policies
o Azure Security
Center
Not only for VMs, could check
networks, App Services, Blob Storage,
SQL, etc…
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
17. REMEDIATION
o Network Security
Groups
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
>_
SSH
RG for
- Dev-Test
- Production
18. A BETTER ARCHITECTURE
Web UI
Users
Photos URLs
+SQL DB Firewall
RAW Photos
Thumbnails
Watermarking
Photo resize
+web.config
RG for
- Dev-Test
- Production
19. RECAP – THE 7 GOLDEN RULES
• Script everything
• Backup everything
• Least user privilege
• Trust no one
• Monitor everything
• Assume cloud failure
• Protect your secrets
21. Export to Excel
and Power BI
SECURITY CENTER ARCHITECTURE
IP Geotagging, …
Netflow, SQL DB
and Storage Logs, …
Windows Events, Syslog,
CEF, Configurations
Threat Detections, Prescriptive
Recommendations
Security Dashboards
Deliver Rapid Insights into
Security State Across All
Workloads
Actionable Security
Recommendations
Investigation Tools
and Log Search
Curated, Prioritized
Security Alerts
Security Dashboards Deliver
Rapid Insights into Security
State Across All Workloads
REST APIs NotificationsAutomation
22. AZURE SECURITY CENTER FEATURES
Server EDR with WDATP
Linux threat detection
Organization wide security policies &
management groups
Programmatic automation:
Powershell cmdlets
REST APIs
JIT VM Access
Dynamic rule priorities
Adaptive application controls (Windows)
Alerts
Support for “groups for review”
File integrity monitoring
Process investigator- detection of fileless attacks
Azure App services threat detection
Azure Gov
Alerts map
GA
Limited public preview:
Adaptive network hardening
PCI/CIS/ISO/SOC compliance reports
Public preview:
Network map
Secure score IAAS/PAAS
Docker containers on Linux servers
UEBA for Azure resources and identities with
MCAS
Threat detection for Azure blob storage
Threat detection for Azure PostGresSQL
Threat detection for Azure MySQL
Preview
23. RESOURCES
• “Parts Unlimited” sample site with telemetry and fault injection:
– https://microsoft.github.io/PartsUnlimited/
• The “bible of Chaos Engineering”: http://principlesofchaos.org/
• Only for the “Brave”, Netflix Chaos Monkey integrated with Spinnaker:
https://github.com/Netflix/chaosmonkey
• Cloud Bedlam: https://github.com/GitTorre/CloudBedlamLinux/tree/dotnet-core
24. Security
BRK2395 Wed 9AM
Azure Security
fundamentals: Protecting
infrastructure, apps, and
data in the cloud
BRK2038 Wed 2:15PM
Simplify protection of
cloud resources with
Azure Security Center
BRK2368 Tues 9AM
Practical guide for using
Azure Security Center to
protect hybrid cloud
environment
(workshop: WRK2010
Tues 10:45AM)
BRK3059 Thurs 3:15PM
Manage keys, secrets, and
certificates for secure
apps and data with Azure
Key Vault
Monitoring
BRK2270 Tues 4PM
Full stack monitoring
across application,
infrastructure and
network with Azure
Monitor
(workshop: WRK2012 Wed
9AM)
BRK3354 Thurs 10:15AM
Monitor your
infrastructure and
analyze operational logs
at scale with Azure
Monitory
BRK3349 Tues 11:30AM
Everything about Azure
Monitor telemetry and
building integration with
ITSM and SIEM tools
Resiliency
BRK3060 Mon 4PM
Backup your data with
Azure Backup
(workshop: WRK2011 Wed
12:30PM)
BRK3078 Wed 11:30AM
Ensure application
availability with cloud-
based disaster recovery,
Azure Site Recovery
BRK3064 Thurs 2:15PM
Implement Cloud Backup
and Disaster Recovery at
Scale in Azure
Automate
BRK3063 Fri 12:30PM
Azure Update,
Inventory, and
Automation for Linux
and Windows VM
management
BRK3069 Wed 4PM
What's new in
PowerShell
Governance
BRK3062 Tues 2:15PM
Architecting Security and
Governance Across your
Azure Subscriptions
BRK3085 Thurs 4PM
Deep dive into
Implementing
governance at scale
through Azure Policy
BRK2476 Thurs 9AM
Make the most of Azure
by optimizing your cloud
spend through Azure
Cost Management and
Reserved Instances
NEW
Security & management
hands on labs (to be updated
CY18 Q4)
Learn more about
Azure Governance
Learn more about
Azure Security
Learn more about
Azure Monitor
Learn more about
Azure resiliency
Learn more
about Azure
Automation
Hands on
experience
AZURE SECURITY & MANAGEMENT@IGNITE
25. #azuresatpn
Thank you very much!
Feedbacks are important!
Tweet: @_geniodelmale #azuresatpn
or send me an email
lorenzo.barbieri@microsoft.com
@_geniodelmale